SITA’s Product Security Office: Setting New Cybersecurity Standards for the Air Transport Industry
- Cybersecurity
- Travel, Transport & Logistics
SITA is a major player in the air transport industry. The company offers a wide range of IT solutions and services to its clients – airports, airlines and governments. These include systems for airport operations management, baggage handling, passenger processing and passenger flow management, border control, airline ground operations, network infrastructure services, on-board aircraft systems and more.
Alexandre Izri, Cybersecurity Director at SITA, has agreed to share the story behind the creation of a team dedicated to product security: the Product Security Office (PSO).
SITA turned to Wavestone for its cybersecurity expertise, to help frame and execute initiatives that contributed to the team’s launch and development. This interview explores the strategies put in place to meet the growing security requirements of digital products. More than a technical discussion, it explores the internal dynamics of a company that is a leader in its field, faced with the need to continually adapt its cybersecurity strategies to address the changing threat landscape.
Cybersecurity in the Air Transport Industry: How does SITA overcome key challenges
When did it become clear that a dedicated product security team was needed?
Our activities require us to protect not only our own environment, but also those we operate for our customers. We do this in the face of constantly evolving risks and threats, like ransomware, supply chain attacks, and geopolitical tensions. The major focus of the aviation industry is to avoid disruption so our customers expect the highest level of security for their operations. Added to this is a regulatory landscape that has been changing rapidly over the past decade or so, particularly in terms of personal data and critical infrastructure protection (GDPR and NIS Directive in the European Union, equivalent regulations in many countries and regions around the world).
Our digital products require a high level of security, adapted to increasingly demanding clients and the growing scrutiny of international standards and regulations. This is a commitment that starts from the SITA Executive Leadership, including CEO, David Lavorel, and CISO, Mark Orosz and led to the creation of the SITA Product Security Office (PSO).
We wanted from the beginning to establish a detailed vision of our capabilities, and to align them with a clear target, compliant with global requirements as well as specific requirements for each solution and region. I like to use the analogy of a ‘dynamic requirements catalogue,’ constantly updated to meet the needs of our clients and regulators.
A striking number: In calls for tender for aviation IT services, Security can account for as much as 30% of the total evaluation criteria when selecting the successful bidder!
Why did you turn to Wavestone for support?
We needed to benefit from both cutting-edge expertise in cybersecurity and an operational capacity to support strategic planning, project framing and execution, including technical security assessments.
We thought of Wavestone because we had previously established a good relationship. Their team had demonstrated the right level of expertise, and we saw them as genuine sparring partners capable of providing mcross-functional, long-term support.
Redefining product security: SITA’s transformation
Can you summarize the key steps behind creating a Product Security Office (PSO)?
This has been a journey over several years, but we started by mapping out our security products, processes and needs. With the help of Wavestone, we pinpointed our solutions’ strengths and areas of improvement. This step involved a security review: interviews with SITA employees, technical tests, evaluation against international standards and drafting of a report and recommendations. To give you an idea of the scale, our first campaign involved more than 30 products.
This enabled us to create a clear roadmap for strengthening our security, taking into account our specific characteristics.
We set up a dedicated security team within SITA’s product teams, with a contact person for each product portfolio, to cover most of SITA’s products and solutions.
Our expectation was to enhance implementation of existing processes, and to answer customers’ requests more quickly and accurately.
Soon after, SITA’s cybersecurity function was reorganized to create a central team responsible for the whole company’s cybersecurity, covering product security in addition to the security of the internal environment. The new Product Security Office (PSO) was structured around four departments:
- Processes and governance
- Infrastructure security
- Application security
- Security testing & assurance
Wavestone helped us redesign our processes for embedding security into products throughout their entire lifecycle: development, deployment, operation and decommissioning. This covers the definition of technical and organizational security requirements at each stage, related governance and assurance activities.
When it comes to our clients’ needs, we have built a business case library to fasten and better structure our response to their requests.
What have been your greatest challenges – and your most effective fixes?
SITA works with customers from all over the world meeting diverse security requirements and maturity levels, all operating within a highly regulated industry. We had to identify security specifications that I call “universal”, because they cover 80% of the requests we receive. For example, depending on the client, the same access control requirements will refer to an ISO standard, another from NIST or from local laws. This then enables us to focus on the remaining 20%, which are more specific and require dedicated efforts.
The team spent almost a year reviewing and learning from previous engagements to create a reliable library. Today, we have entered a phase of continuous improvement. Of course, there are always special cases, but at this stage we are comfortable with the level of customization we can absorb or not.
One the Air Transport Industry characteristic is to deal with “mature” products that are widely adopted across the world. Obviously, these products must also comply with the recent regulatory landscape.
In these cases, rather than redesigning these products, it is more relevant and cost-effective to implement additional compensatory security controls. This helps to find the delicate balance between meeting the required security requirements while preventing exponential costs.
We have the same goal as everyone else in the company: to make SITA’s solutions the most effective and competitive in the market. It is therefore essential for the Product Security Office to be perceived as a business enabler and as a catalyst for growth and innovation.
To this end, we gradually introduced the “shift left” philosophy, onboarding security from the very start of any product initiative. In other words, we are embedded in every stage of projects and have introduced regular checkpoints.
Innovating in cybersecurity: what it changed for SITA
What are the most significant results of your transformation?
We have put in place a clear and agile security process that is fully embedded in all our products’ lifecycle. It is fully scalable and enables SITA to anticipate new technical trends and regulations. Thanks to a solid security baseline, SITA is able to meet most of market demand.
Far from being perceived as a limitation, security is an essential part of our value proposition.
I am especially proud of the successful on-boarding of the Product Security Office within the company. The team is known and renowned for its reliability and expertise. Security is an integral part of SITA’s identity.
What would you like to share with a company experiencing a similar challenge?
When we started this journey, there was little information available on digital product security management in similar environments. Today, I would like to offer my take on the questions I asked myself back then.
It is critical to establish a specific strategy for product security, independent of the corporate security. This strategy should be tailored to the digital product’s particular features and consider the unique challenges raised by an international footprint, even more so in a critical and regulated industry such as the Air Transport Industry.
The creation of SITA Product Security Office is the story of a transformation towards a dynamic and innovative cybersecurity posture, ultimately serving the sustainable development of the Air Transport Industry.
