Security 7 award winner Andre Gold:
The risks associated with converting future aircraft into what amounts to a flying IP network probably send shudders through the spines of airline information security managers.
Not Andre Gold.
These are the challenges that drive Continental Airlines' director of information security. Answering seemingly impossible mandates has been the hallmark of Gold's career with the airline. In 10 years he's served in two capacities: six years as technical director of Internet services, developing and managing an ecommerce infrastructure that last year raised $1.6 billion for the airline, and the last four as information security manager.
Securing a network with endpoints in 277 countries has forced Gold to sharpen his flight plan and become proficient in everything from vulnerability management to provisioning, to network access controls.
And, oh-by-the-way, he's chasing down an MBA part time at Colorado State University, meeting head-on a trend in the infosecurity industry that deems managers must have business chops to remain relevant.
"The days of the firewall, IPS and other sexy technologies are over [for CISOs]," Gold says. "It's about how you mitigate risk and improve shareholder value with the security program you implement."
That takes us to Gold's latest venture, bringing services like wireless broadband connectivity and secured ground-to-cockpit communication and data sharing to next-generation aircraft.
Gold represents Continental on the Data Link Security Subcommittee, an industry board that includes representatives from other airlines, the Air Force and manufacturers like Boeing, Honeywell, Airbus and Rockwell. The group is drafting security protocols that will enable not only Wi-Fi connectivity, but how future aircraft connect to respective carrier networks, offload messages, and upload data like gate information.
While Gold thrives in an industry perennially targeted by terrorists--Continental was one of the airlines speculated as a target in August's foiled plot to blow up U.S.-bound airplanes from the U.K.--he contends with direct and indirect Internet-based threats every day.
The airline's ecommerce system connects to other airlines, hotels and rental-car agencies, creating a bevy of disparate places from where attacks could infiltrate the airline's network.
"From a cyber perspective, attacks won't come from just one place. Continental may not be the target, but could become the target after an affiliate is penetrated," Gold says. "That's what makes the task so daunting."
Geography presents another challenge to the security of Continental's network and policy expression and enforcement. Operations in 277 countries force Gold and his teams to sharpen their awareness of international regulations. And since Continental outsources service delivery in many countries, lack of employee awareness could raise liability and exposure.
Gold's reputation precedes him as not only a technically savvy manager, but one who is passionate about reaching out to vendors--startups in particular--and researchers.
"I like working with technology incumbents who want to listen, or startups with valued security IP. There's a lack of innovative technology that addresses my liabilities," Gold says.
ConSentry Networks, for one, has benefited from Gold's insight into network access controls, says Dean Hickman-Smith, vice president of sales.
"[Gold] has always been able to rapidly understand and work with new technologies, not just buzzword stuff of the moment," Hickman-Smith says. "He can rapidly get down to technical details with new vendors to ascertain if there is value in their products.
Hickman-Smith adds that Gold is one of the first CISOs to understand the true value of identity within a network context, and fit that into a business context.
"Andre has an extremely nice personality, and that makes people want to go the distance for him," Hickman-Smith says.
"I see him as a CIO, CTO type of guy in the not-too distant future."
This story was originally published by Information Security Magazine, part of the TechTarget network.