Roger Williamson was 25 years old when he ran his second Formula One Grand Prix on 29 July 1973 in Zandvoort, the Netherlands. On his eighth lap, his car crashed, flipped upside down and almost immediately caught fire. Williamson was however still alive but trapped under the car. One of the drivers, David Purley, stopped his car and tried to turn Williamson’s upright under the eyes of the track marshals, passive, ill-equipped and ill-trained, and that of the other drivers who continued racing. Williamson eventually died of asphyxiation.
He was one of the names in the long list of the many victims of this dangerous job, as death at that time was considered part of the job. A fatality – “the deadly seventies”. In the opening credits of Rush (Ron Howard, 2013), Niki Lauda states: « Twenty-five drivers start every season in Formula One, and each year two of us die. » But Williamson’s death changed the attitude towards security in Formula One because it was broadcasted live. Pilots were requesting more and more security measures and did not want to race in any conditions. They increasingly requested the FIA to manage and reduce the safety risk and death toll decreased significantly. As a result, since 1980, only 5 drivers lost their lives during a Grand Prix despite some spectacular crashes.
« Twenty-five drivers start every season in Formula One,
and each year two of us die. »
On 29 November 2020, Romain Grosjean crashed at the Bahrain Grand Prix when his car speeding at 220 km/h impacted a barrier, with an estimated force of 53 g (fighter jet pilots train in a centrifuge at 9 g only). Grosjean eventually suffered only minor injuries but survived. The halo that was introduced in 2018, although initially highly criticized among drivers, is credited for saving his life.
The human being, especially at a time where we (try to) expose opinions in 280 characters, prefer simple explanations over complex ones because complexity is, well, too complex. But if you compare Williamson’s crash to Grosjean’s, the latter was in fact saved by a whole chain of security features and layers that have been gradually introduced and/or improved over the years through constant research:
- Circuit configuration with run-off areas wide enough to decrease car’s speed
- The crash barriers: the material, their orientation to better absorb the energy of the collision and keep the car on track, their distance from the track
- The tires around the track to also absorb the collisions’ energy
- The gravel traps to reduce speed before impact on the barrier or the tires
- The car: structure (monocoque), cockpit (aka the survival cell) and its configuration, 6-point harness seat belts, tires, now the halo
- The driver’s equipment: gloves, helmet, fire-resistant overalls, his physical training
- The medical provisions at tracks: a private clinic for each circuit, the medical staff, the most up-to-date medical equipment, rescue cars, extrication teams, ambulances and helicopters
- The track marshals and the fire marshals
- All the procedures and the training of those staff in case of an accident and an emergency, the yellow and red flags, the safety car
And I probably miss some others. In fact, it was a combination of all those layers of security and protection that saved Romain Grosjean’s life and reduced the impact and likelihood of his injuries (risk management 101).
* * *
Well, cybersecurity is the same. Many believe that having a firewall, an antivirus and (why not) updating their Windows PC and servers according to Microsoft’s monthly security bulletins keep them safe and secure. Nothing can be more wrong than this conception. Nothing can be more naive. IT departments cannot rely on isolated elements. It is a global, holistic and constant corporate effort that must involve all actors inside the network and beyond. It is only a combination of people, processes and technology that will be able to make an IT infrastructure resilient and protect confidentiality and integrity of data, and availability of systems.
To secure their information systems and their IT infrastructure, companies must at least concentrate on the following fundamental aspects, which are an absolute minimum:
- Have a precise and extensive inventory of all managed assets: what does the company operate, what does it therefore protect? (Asset Inventory)
- Manage accounts accessing their systems and the access rights of those accounts: who precisely can access what and what operations is this account able to execute? (User Access Management and Identity Management)
- Manage, monitor and protect accounts that have extra privileges (e.g. the IT administrators): they can give controlling powers to malicious outsiders or insiders over an IT infrastructure (Privileged Identity Management)
- Segment the IT network to contain the propagation of a virus or a malevolent actor across all infrastructure: an office has segmented spaces, so should have an IT network (Network Segmentation)
- Protect the endpoints (workstations, laptops, mobile phones, IoT devices), as users are easily tricked into installing malware unbeknownst to them (Endpoint Protection)
- Properly encrypt data at rest and data in transit: encrypted data is useless if stolen or intercepted (Data Encryption)
- Scan the IT infrastructure for known vulnerabilities and apply remediation plans, in particular security patches issued by vendors (Vulnerability Management)
- Develop secure configuration baselines for all types of IT assets and apply them (Configuration Management)
- Ensure backups of data and/or replication of the IT infrastructure outside of the current one exist and learn how to restore corrupted data (Backups and Disaster Recovery)
Cybersecurity dashboards presented to Management Committees, Executive Committees and Boards of Directors should include an overview of the risk levels of those elements as a minimum.
I must confess that the first one is my favourite one. This is also the least sexy, the least regarded, the most tedious, the most administrative, the most forgotten, but the most essential: how can a company protect what it does not know the existence of? A forgotten server, therefore unprotected, can have its vulnerabilities easily exploited to further conduct extended malicious operations in an IT infrastructure with potentially devastating consequences. And from my experience, when it does exist, it is always incomplete and not up-to-date. It is a good starting point to insist on focusing on this uncomfortable element. Completeness of an asset inventory will significantly drive the organisation towards the right direction.