Ep 17: Leveraging AI for a Safer Future in Aviation with Bombardier CISO Mark Ferguson

‍Evan: Hi there and welcome to Enterprise Software Defenders, a show that highlights how enterprise security leaders are using innovative technologies to stop the most sophisticated cyber attacks. In each episode, fortune 500 CISOs share how the threat landscape has changed due to the cloud real-world examples of modern attacks in the role AI can play in the future of cybersecurity. I'm Evan Reiser, the CEO and founder of Abnormal Security

‍Mike: And I’m Mike Britton, the CISO of Abnormal Security Today on the show, we're bringing you a conversation with Mark Ferguson, Chief Information Security Officer at Bombardier.

Bombardier is a Canadian multinational aircraft company best known for their production of premium business jets. They have over 17,000 employees and more than $8 billion of annual revenue.

In this conversation, Mark shares insights into the impressive scale of Bombardier, the complexities of cybersecurity in the aviation industry, and the role of AI in enhancing security operations.

‍Evan: All right. Well, maybe Mark, to kick us off, do you want to share, do you want to share maybe a little bit about kind of, um, your career journey up to this point and kind of how you arrived where you are today? 

Mark: Sure. So, started out as a, an IT guy back in the early 90s, uh, left university when I worked for the local city, this was back in Scotland, so you can probably tell from my accent I'm not native to North America or Canada, where I am now. But I, I, I started there and, uh, probably, I think it was maybe four or five years into that role where, uh, Uh, restructuring in the city and the government and, uh, long story short, they put two teams together and part of this they said, so you go and shadow these guys for a day and they'll shadow you for a day.

Well, when I shadowed the, uh, the guy I was with, uh, he looked after the, the schools. So we got the first job done. Came in that day and I said, okay, what is it? He said, Oh, we're going to Morgan Academy. And I was like, well, fantastic. Cause that was my school. I said, great. I get to go back to my school. And I said, what exactly is the work?

He said, well, Some kid's been sick in the keyboard, uh, so we've got to go and clean the keyboard. And another kid's been sick and it's, uh, it's jammed the, the mouse ball. And, uh, so I thought, uh, at that point, I thought, well, maybe it's time to start thinking about, uh, another career. So anyway, I, I, I begun to get, uh, certified.

It was NetWare back in the day. Went through various roles in, uh, in IT, until, uh, I was working for a life safety company. And, uh, we were getting acquired by, uh, Uh, an American company, Honeywell. As part of that, that led to another career switch for me, because, uh, you know, I was beginning to think the, uh, the challenges of IT were beginning to change.

You could see the, uh, you know, the runway ahead was, uh, getting more challenging and cyber security was just becoming a thing. Back then, this would be about 20 years ago, maybe a little bit less. So I made the switch at that point, about 15 20 years ago, into cybersecurity. Basically cut my cybersecurity teeth at Honeywell, where through various job changes I worked up to the position of CISO, which I held until 20 2019, where I was working for Honeywell in New Jersey.

And then I moved to Bombardier, uh, at that point about five, five years ago, which involved another switch back to Europe. So we went back and we landed in Poland of all places, uh, which was, uh, which was a great experience. I never growing up, I never ever thought I would end up in Poland, but that's where we ended.

And sadly that was only for, uh, for about a year. Uh, we were in Poland before we came back to North America, which is where I am now located in, uh, Ontario. And I'm working for, uh, for Bombardier. So, uh, so that's, uh, hopefully a part of history of my career. 

Evan: And maybe for our audience that might not be familiar with Bombardier, like, can you just share a little bit what the company does?

Mark: Yeah, so Bombardier makes the, uh, basically the, uh, premier best business aircraft. Uh, we are a pure play business aircraft manufacturer, which means we basically, uh, design, develop, build, and sell business aircraft. So, uh, you know, think of it as private jets, basically. That's what we build and we're, uh, number one and two in the market.

We compete mainly in the medium and large sized, uh, market. Uh, and, uh, you know, like I say, we're predominantly number one and two in both those markets. 

Evan: And can you share a little more context about just like the scope and scale of the organization? I'd love to hear, I mean, it's, it's quite a complex business and operation that I think people would expect despite the sophistication of your, of modern aircraft, but maybe you could also share a little bit about, you know, what are some of the, you know, cybersecurity challenges that are unique to the organization that maybe some of your peers might not fully appreciate?

Mark: Yeah. So, so on the one hand, we're, We're quite a simple business, right? We only make one product, it's business jets. However, when you get into that, the whole process of how you design, build, and sell an aircraft, that starts to bring the, uh, the complexity into it. So, we're about 18,000 employees, and then we're probably, Uh, you know, 7-8,000 various contractors and partners that support us.

So we're not, uh, you know, massive compared to some companies, but we're, we've got enough scale that it's, uh, we're big enough and we've got the complexity, which brings some of those, uh, I.T. and cyber security, uh, challenges, uh, to us. 

So, you know, I would say in terms of those, uh, Challenges I mean what I'm seeing and what's, you know, causes me most stress right now. It's, uh, it's probably a variation on, uh, three themes. So one is the, uh, suppliers, the dependence on suppliers. We've got so many suppliers, particularly on the I.T. side, you know, from a cyber perspective, I've got to rely on these suppliers getting everything right every single time. Layer on top of the areas, uh, you know, we're expanding and rapidly moving into cloud and again, depending on those suppliers to, to get it right every single time.

And then the other piece is the I.T. environment. I just find I.T. is so complex. And, uh, particularly in this industry, aviation. Because there's a long tail to our product, uh, we've got to be able to support a product for 25 years or greater, which means a lot of the I.T. systems that were part of that initial build have got to exist.

So that brings with it a complexity that comes with a lot of, uh, legacy systems that just makes the job of securing these environments a lot harder. Uh, so it's not a, you know, the suppliers and supply chain. Uh, the move into cloud and then the complexity of I.T. These are the three areas which which cause me most concern.

Evan: When you first started, right, you know, almost five years ago, it was probably a simpler security environment, at least where you probably had more people, right, in an office that were, you know, on company managed devices, on a company managed network.

Today, I have to imagine you just have an increased number of people working outside kind of the corporate boundary, right, on their own devices. They can access IT systems from any network, any geography, right, any device. And so that kind of, the boundaries change a lot. How has that affected kind of, you know, how you think about security, right?

Is that kind of as the perimeter gets increasingly, you know, fuzzy? 

Mark: Yeah. So, I mean, we, we've gone through our challenges there as well, and we're still working some of them. I mean, even right now this week, we've got, uh, changes going on that are basically reversing a lot of the decisions we made during that COVID era when everybody, you know, fled from the offices, started working at home.

We got everybody enabled so we can keep the business running. But a lot of those, uh, systems and changes you put in place, right, it takes a long time to reverse them because people like being able to come to work with their, uh, personal mobile phone and connect to the network and get their email. So, you know, slowly we've reversed that same with, uh, PCs, you know, people like to be able to connect up to the web apps, their office 365 web apps and, uh, you know, browse their email and download files.

So again, we're having to go back and reverse that. So there is no perimeter now, right? The perimeter is where the person is, so, you know, we, we're slowly going through the different use cases to begin to either get the control back or reverse it or get it into a state that we're at least, confident that we've reduced the risk. 

Evan: Expectations are at all time highs, right? For AI. And like, it's, it's almost, it's, it's certainly in some areas at the point of absurdity. Although there are some kind of, you know, tangible examples. And I, I agree with you, right? I think they're happening in places where there's like a very specific use case where that technology just coincidentally helps, you know, do that use case better. 

I think it's undeniable though, that some of these tools will be used by bad guys. Right. If nothing else. You know, it's easy for anyone to write an email in perfect English, right. With some organizational context that might not otherwise have. And so, yeah, like how, how do you think criminals will take advantage of that?

Right. And like, I don't think we're gonna have a. You know, like the apocalyptic sci fi AI attacks, but like, presumably like you said, in your copilot example, you know, AI can be used to augment humans, right. And there is some benefits there. You know, what are the risks that you think you and your peers should be thinking about, right. As we go into a world where criminals are at least augmented, if not supercharged with, with AI technology. 

Mark: Yeah, I mean, I think you're right that those same things I spoke about how, you know, AI is enabling us to, to crunch through data a lot quicker to get to answers a lot sooner, right? I mean, criminals are going to use that same capability, you know, whether it's to find vulnerabilities in, uh, in software or to write better phishing emails, uh, or to create deep fakes, uh, you know, that's gonna, which I expect will be the next iteration of, you know, the current phishing email tactical eventually move on to deep fake emails and, uh, videos and voice calls. Uh, I know it's already happening in some cases, but, you know, they're going to take that and, and leverage it against us. 

But, uh, the next challenge will be, you know, this next phase of tools and capabilities that the cyber criminals acquire. Uh, leveraging AI, uh, you know, how, how are companies like Microsoft abnormal going to be able to, to help, uh, organizations like ours to, uh, to stay ahead of that and to, uh, to be able to combat those threats.

Evan: I think probably like the marketing fear around how bad AI is right now for criminals is, is exaggerated. There probably are a couple examples, right, that are indicative of, like, what the future's going to look like from a threat perspective.

Are there any specific things you've seen, right, or heard about maybe from your peers, right, of, you know, criminals using these technologies that, you know, even though it might be kind of a small number of things today, you feel like are representative for the types of things you have to be prepared for in the future?

Mark: So, so within my community, no, we haven't seen anything, uh, firm yet. I would say the biggest challenge we've seen is, uh, you know, people with the best intentions doing the wrong thing. For example, uploading confidential data to chat GPT, to tell chat GPT to go analyze it and come back with some insight. That right now, I would say is probably the biggest issue for most organizations is how do you control your employees and make sure they're managing that information and the, you know, the data that they've got and not sharing. 

Any public gen AI chat GPT type environment where that data is going to be retained for future use, right? And it's potentially going to come back, uh, and be replayed or reused, uh, or useful to somebody else, uh, that, that, you know, might either stumble on or query for that information. So, uh, so I think the, uh, the employees more than the criminals right now are the, uh, the biggest challenge for us. 

And you know, the cyber criminal, their work is, it's all about volume, right? So it's keeping the cost as low as possible and spreading the threat, uh, to the biggest volume possible. And that, you know, that's where AI will help them, right? Because it's going to enable them to, uh, Uh, I guess, you know, I guess widen the net for the potential targets, uh, they can go after and reduce that cost to, uh, launch whatever attack it is thereafter.

So, uh, so I think, I think that's, you know, where, where they'll be able to take advantage of, uh, uh, Gen AI and other AI models. 

Evan: Mark, you and your team have been, um. You know, very kind of forward thinking and kind of exploring these new technologies, right. And trying to figure out, you know, how, how you can take advantage of like what actually works without succumbing to some of the hype and maybe kind of wasted energy. 

I know we're still in the very early days of how these technologies can improve, you know, security, but are there any examples where you've seen. Any of your team's kind of usage of AI, you know, help do something that maybe couldn't have done in the past. And even though it might be very small, it kind of gives you hope that like, Hey, like this type of thing, five years from now, we could be doing 10 X more of that, right? That just makes you bullish about the longterm or any, any other kind of examples you can share about where you've seen some promise.

Mark: Yeah. So, so we had a situation, uh, maybe three, three, four weeks ago where we, we saw an anomaly in the environment. I seem to recall it was an impossible traveler situation that got flagged up and, uh, you know, we were trying to find out, well, what's going on here? Has something changed in the environment which caused this to get flagged up?

We couldn't figure out. The team looked at it and they were looking at the various visitor limit rates we've got in, the different Microsoft, uh, sources we've got to try and piece together the, uh, The structure and the story of what was going on and, you know, it was taking a while and then, you know, one of the guys said, look, let's, let's see what, let's feed it into Copilot and let's see what it does. And I mean, it came back within seconds and said, this change happened by this person to this end point on this day. And they were able to just narrow in on what the change was, who made the change. 

Now, The data that came back. I didn't tell us the person specifically, but we got the, uh, uh, you know, details of the, uh, I think it was the end point that came back this well, the long story short, we were able to quickly get to who did what a lot quicker than just going through screens and screens and screens of different event data, login data, and hopefully, you know, stumbling across it through copilot, we're able to get to it much, much quicker. So that's just one success story. So far, we haven't had anything major since then, but we're continuing to look at it.

There's promise there. So, you know, we're kind of optimistic that over time, we're going to get the benefits of, uh, of that, because like I say, that's always been the big challenge for me is taking all this great data you get from people at Microsoft and then turning it into something meaningful. 

Evan: Yeah, and you have to imagine that just gets increasingly hard in the future when you have more enterprise applications, each of them are creating more sets of data, right?

You have exponential data growth, the attacks are getting more sophisticated, and presumably most teams aren't going to have exponential growth of their headcount, right? And so at some point we have to reconcile that, we need every person to be able to effectively analyze more data. It's hard to imagine how that works without technology, whether it's data science or machine learning, AI or whatever, whatever the next thing is, right? Like there's got to be some technology there to increase our productivity and understand that data. 

Mark: Yeah, I mean, we're testing one or rather gave the challenge to one of our teams. Because what we're trying to, uh, take a look at now is, uh, so if you look at our cloud usage, how do I know what's risky and what's important, right?

So I asked the team, I said, give me a report of all the, uh, SaaS usage we've got going on today. And the report came back and it was, uh, well, we're using 11, 000 services. It's like, oh, well, okay. So that's like, okay, so how, how do I get from 11, 000 to like, let's say the top 50 most critical. It's almost impossible, right?

It's because then it depends. Well, what do you consider critical? You know, different services. People are sharing different data. Others have got different business uses. So it's almost impossible to get from 11, 000 to, what you would consider to be the core things that are going to represent the biggest threat to your organization.

So I thought I would turn it over to the, uh, to the AI guys and said, Hey, can you, can you guys, uh, can you take a look at this? And, uh, I don't know if you can do some magic in your, uh, with your data scientists and, uh, through your AI, uh, skills. And how do we get insights from this data that we can then turn back to the organization and say, look, this is how we're using SaaS.

This is the type of data we're uploading. This is the numbers, this is the volumes. These are the, whether it's 50 or 100 or 10, that we've got to focus on and keep tracking. Uh, so, we'll see if AI or the data scientists can help us with that one. Hopefully they can. 

Evan: Well, Mark, I only have a couple minutes left. We like to enter episodes with a bit of a lightning round. So maybe go through like, I don't know, a couple of questions and we'd love to get your kind of like one tweet answer. These questions are very difficult to answer in one tweet, so please forgive me in advance.

But, um, yeah, so let me, um, let me kind of kick a couple off, right? So what advice would you give to a security leader that maybe just stepped in their first CISO job about what they might kind of underestimate or overestimate about the role? 

Mark: Know your business, listening and knowing and learning what the business does. And ultimately, why are you there, right, because if you do those three things, you'll learn why you're there and why they need you there. 

Evan: One of the things I've just been impressed with kind of you and your team is, you know, you guys are surprisingly up to date on like the latest developments and technologies. What advice would you have for maybe some of your peers that are trying to stay up to date with the latest innovations in AI or, you know, the threat landscape? 

Mark: Tough question, because it seems, uh, maybe I'm wrong here, but it seems self evident that anybody that works in cyber security has got to stay ahead of the technology.

Right, I mean, in this role, you've got to juggle a lot of hats. You know, you gotta, you gotta be able to navigate organizations, you know, mentioned, you gotta be able to know your business. You gotta be able to know the business leaders and what motivates them. And, uh, but also, I think, uh, people overlook the importance of understanding the technology and I, I do think you've, you've gotta, you've gotta know enough that when you're sat in a room and you're being asked to make a decision, you can look at the, whether it's an architect or a developer or a supplier, and, you know, you understand enough that you can make that right decision, right?

And that basically, you got to be able to cut through the BS. And that means you got to be able to know and be able to go in and talk credibly, uh, whether it's, you know, business organization, technology, innovation. You got to learn all these skills. 

Evan: That, that, that makes sense to me. Maybe switching gears to the more personal side. Um, what's a book you've read that's had a big impact on your, on your leadership? 

Mark: The one that was probably recently most inspiring was a guy called Jan Ory, who was a German cyclist, and he was, uh, he was Lance Armstrong's, uh, uh, what would you say? He was the bridesmaid to Lance Armstrong's, uh, bride. He was like second in the Tour de France every time. Uh, Lance Armstrong, uh, one of our, but reading his story and how, again, he had a lot of personal issues, uh, on the back of that era of, uh, doping and cycling and seeing how he worked through that and how he, how he came back from it.

I think it's, it's always inspiring when you see somebody that, you know, they look like they've lost everything, uh, but somehow they, you know, they, they, they navigate a path back to something approaching happiness and fulfillment. 

Evan: What do you believe is going to be true about AI's future impact on cybersecurity that most people, you know, would consider science fiction? So looking for your kind of contrarian view, where you have a different opinion than maybe the average person. 

Mark: Uh, well, I mean, I think, I think if it delivers on its, uh, what is it they talk about it becoming a sentient being? Uh, if it does deliver on that, and I got to think one day it will. Right, I mean, it's inevitable that just through, you know, if you look at the history of humans and how we innovate and develop and how quickly things move and then, you know, that curve is just getting quicker and quicker and quicker, I think eventually true intelligence will be delivered.

I don't know when it's going to be, uh, but when it does, I think some of these things that we haven't figured out how to control it. I think in some cases it will control us, maybe not as a, you know, the entire population or, or so, but I think in some cases it might control us, right? Or it will unwittingly trigger a series of events that weren't anticipated, right?

It's the unintended consequences, which I think, uh, Is what will come true, in some shape or form, right? I mean, there's no doubt. 

Evan: What would be your kind of like one tweet answer to, um, you know, what advice do you want to share for the next generation of security leaders?

Mark: I would say careful what you wish for. You know, this role, the CISO role, it's always developing, it's always changing, but I think any leader coming into it should take the time to learn the different skills that you're going to need to be successful in the role. And there's a lot, right? You've got to be able to deal with legal, you've got to be able to deal with data protection, HR, finance.

Uh, there's a lot of business, uh, acumen you got to acquire to be successful. If you're going to sit in front of these people and build a relationship, uh, be credible, speak and be heard with confidence. And a lot of that comes down to taking the time to engage with the business, you know, learn the business.

Um, you know, like I said earlier, listen, uh, to what they're saying. Cause when you listen, you'll hear what's important to them. And then when, you know, what's important to the business. What their strategy is, you can then define, well, how am I going to bring the value I bring, which is helping them do business securely, to this equation. So know your business and listen to them.

And, uh, don't expect an easy ride either. I mean, this is, I, I don't know. I've been doing this now for, uh, eight years, uh, a little bit longer here in a Honeywell and new stuff comes up every day, every week. And it's like, You know, just when you think you've got all the answers, you realize, ah, never had that question before. I'm going to have to go, uh, figure that one out and get back to you. So, uh, so yeah, I'll always, always be ready for that next question that you, uh, you know, you hadn't anticipated and just be open to what that answer might need to be.

Evan: Well, I think that will resonate with a lot of people and I think wise advice. Well, Mark, thank you so much for taking the time to join us. Great to chat with you and I'm looking forward to chatting again soon. 

Mark: Thanks Evan. Take care.

Mike: That was Mark Ferguson, Chief Information Security Officer at Bombardier. I'm Mike Britton, the CISO of Abnormal Security. 

‍Evan: And I’m Evan Reiser, the CEO and founder of Abnormal Security. 

‍Mike: Please be sure to subscribe so you never miss an episode. You can find more great lessons from technology leaders and other enterprise software experts at enterprisesoftware.blog. 

‍Evan: This show is produced by Josh Meer. See you next time.