Technologies3 min read

Southwest Airlines Breaks Down Silos for Intrinsic Security

Ashley Speagle

In a new report from VMware Carbon Black, a whopping 77 percent of respondents agree: IT and security have a negative relationship.

“I wasn’t surprised by the stat,” says Carrie Mills, senior manager of cybersecurity for Southwest Airlines, at the RSA Conference in San Francisco. “We have conflicting priorities that we’re trying to deal with. The infrastructure team is trying to keep the network up and running, keep our servers running, and the security team is trying to chase after them and make sure everything they’re implementing is secure. So it creates some friction between the teams.”

Still, she says, “That’s not a stat I want to have at Southwest Airlines.”

Under Pressure

IT and security teams in the aviation industry are under unique pressure to secure what’s classified by the government as critical infrastructure—and it’s not all a typical data center environment.

“As an airline, we have two different cybersecurity focuses,” Mills explains. “We look at the IT side, our traditional data center, servers, network appliances, and provide the same security tools and principles that you guys are probably applying in your environments. But we also have the OT side of the house, our operating technologies, and that is where aircraft comes in.”

Starting 10 years ago, or more recently, airplanes now have an IP address.

Carrie Mills, Senior Manager, Cybersecurity, Southwest Airlines

Some of the basic cybersecurity principles Mills and her team use to secure the traditional infrastructure can also be applied to secure aircraft. To fill in the rest of the gaps, they work with others in the aviation industry to share security information.

Additionally, she’s trying a new, strategic approach known as intrinsic security.

Less Is More

“If you went to a doctor, you asked her, ‘How do you stay healthy?’ and she said you’ve got to have 5,000 tablets, you just couldn’t do that,” says Sanjay Poonen, chief operating officer for customer operations at VMware. “You focus on your diet: your proteins, your vegetables, your water.”

This scenario is much like the state of cybersecurity, says Poonen. Companies have thousands of security solutions to choose from to defend against rising ransomware attacks and other increasingly sophisticated cyberattacks. As they bolt on more solutions, however, security becomes more siloed and ineffective.

Instead, he suggests companies try something new: leverage intrinsic security. It’s:

  • Simple, not complex.
  • Baked in, not bolted on.
  • Proactive, not reactive.
  • Protecting the known good, not chasing the bad.

Essentially, less is more. By using less solutions across the entire IT environment—public and private clouds, devices and apps—companies can gain more visibility, efficiencies and cost savings.

“For us, intrinsic security is all about simplification and finding the correct balance of when we can leverage a platform that has security built in or when we need to buy that tool,” Mills says.

“We’ve been trying to look for ways to shrink our cybersecurity footprint,” she says. “How can we leverage the platforms that maybe the networking team already has in place and their security tools within those platforms? How do we get rid of some of the tools, the bolt-on cybersecurity technologies that we've implemented over the last 10 to 15 years?”

As companies like Southwest Airlines consolidate and unify solutions to secure more of their infrastructure, IT and security teams are forced to come closer together and work through any remaining obstacles to their own unification.

For example, Mills says, “One of the problems that we are starting to experience as we're looking at more of a platform is, who is on first now?”

Come Together

Typically, companies use multiple security solutions, which are managed by multiple security and IT operations teams. As this changes, teams will need to combine their expertise to manage a single platform.

“When you have a large security incident that you have to deal with, the first people that you need on your team are those infrastructure teams and those application team members,” Mills says. “If you have a positive relationship with them, it's going to make it a lot less stressful when you are dealing with a security incident.”

When we’re at our worst moments, we’re going to have to rely on the other teams to help us.

Carrie Mills, Senior Manager, Cybersecurity, Southwest Airlines

How can IT and security come together when 77 percent already have negative relationships?

“It is just simple things,” she says. “It's swinging by their office and saying hello. It is saying ‘Hey, do you want to go grab a cup of coffee? Let's see what is going on.’ Learn about their families. So, I have been trying to build positive relationships with my peers and also encourage my team members to go create those positive relationships with their peers.”

Professionals in the security industry have some of the most stressful, taxing jobs and long hours. Breaking down silos and eliminating friction between teams not only opens up communication and visibility but also helps our cyber warriors trudge on through a new world of ongoing threats, each more frightening than the last.