COVER STORY
offerings such as connected aircraft.
One of my biggest priorities is to balance
the opportunities of new technology
against the potential risks it introduces.
The loss of trust that
would result from
failing to protect
the public and
customers from a
cyberattack would
have a significant
reputational impact.
a wider remit, looking at risks beyond
the scope of cybersecurity and adding
compliance and product security to
the role. Transitioning from being CISO
of one large multinational to another
has provided some powerful insights
into the common threats that face all
organisations today. While the two
organisations share similarities, they
have very different business models
and internal cultures, and face a similar
yet different array of opportunities and
challenges around cybersecurity as a
result. However, it is also notable that
the two companies are being assailed by
many of the same threats – as are most
others around the world.
“Despite these shared challenges,
organisations still tend to fight their
security battles in isolation, with the
particulars of threats and counter
strategies being closely guarded
secrets. With cybercriminals becoming
increasingly more organised, security
leaders must also begin to lower these
barriers and begin to work together
more closely.”
Addressing the
biggest cyberthreats
Ferguson continued: “As a large
high-profile organisation working in
transportation and aviation, Bombardier
presents a number of different
cybersecurity challenges that I’ve had to
get to grips with as CISO – the person
ultimately in charge of risk, compliance
and cybersecurity for the organisation.
“Understanding the business and
the types of threat actors that are
interested in it, their motivations and
types of attacks they would employ is a
high priority for CISOs. Transport and
infrastructure are potential targets for
terrorists and hostile nation states, and
so securing that infrastructure against
cyberattacks is paramount. The loss
of trust that would result from failing to
protect the public and customers from
a cyberattack would have a significant
reputational impact.
“Securing products and data has
also become even more important as
companies branch into more digital
“While these kinds of unique advanced
threats loom large, our day-to-day
security operations are often generally
focused on more common security
issues. A high priority for me is to
reduce reliance on humans when it
comes to cybersecurity. Email is easily
the most common vector for attack
and we spend a lot of time dealing with
phishing, spoofing and business email
compromise (BEC) attacks targeting our
executives, admin staff and accounts
payable team. These attacks usually
impersonate a trusted contact such
as another executive or a supplier,
attempting to trick our employees into
sharing sensitive data or authorising
funds. When our staff come to work, they
need to be able to trust, open and click
everything they see in their mailbox, so
keeping email secure is essential.
“These types of attack were also one
of the most prevalent issues in my
previous roles and are a serious issue
for businesses of all shapes and sizes.
Indeed, the Internet Crime Complaint
Center (IC3) found that there were over
20,000 BEC victims around the world
in 2018, with total losses exceeding
US$1.3 billion. Because attackers
rarely use malicious attachments
anymore, countering the deceptive
emails used in these attacks requires
investment into advanced email security
tools that can spot more subtle signs of
identity impersonation.
“In a previous role at a large international
organisation, we were able to deliver
highest efficacy rates when we
implemented Microsoft Office 365 layered
with Agari’s email security technology to
protect against inbound email phishing
and outbound brand spoofing.”
Communicating with the board
Ferguson said: “A CISO needs to not only
understand the cyberthreats facing their
business, but effectively relate them to the
board of directors. Establishing a strong
relationship with senior leaders is essential
52 Issue 24 | www.intelligentciso.com