Wayne Smith believes his seat at the board has allowed IT security to be considered at an earlier stage of procurement decisions
Birmingham Airport has ambitious plans to become one of Europe’s leading regional airports; it wants to attract 18 million passengers to fly in and out of the airport by 2033, up from 13 million. An investment of £500m will be made to increase the size of the airport, expand the number of seats, shops, restaurants and aircraft stands, and upgrade its baggage sorting area.
This is the next stage of transformation for an airport that has seen its passenger numbers steadily increase year by year; several years ago when it first hit 10 million passengers a year, senior decision makers decided to change the IT function from a background service support function to a team that was operationally critical, and on-site 24-hours a day.
Wayne Smith, who was head of IT at the time, says that this change, along with changes to legislation through GDPR and the NIS Directive, meant that the perception of IT and IT security transformed – and the business realised that it required someone at board-level that understood both areas.
Smith had campaigned for this – explaining to the business why IT and IT security needed to be considered important – and after an application process two and a half years ago, he was eventually given a dual role, factoring in both the CIO and CISO roles at a board level.
Now, as IT and information security director at the airport, he tells NS Tech at the Cyber Security Connect UK conference in Monaco, that his role now encompasses both the traditional IT and operational IT – covering the airport operating systems required for passengers, bags and aircraft, as well as information security.
“It has been a challenging transformation. However those working in IT and information security have a good understanding of every part of the organisation as you’ve worked with each department at some point. This stands me in good stead going into board rooms discussing the developments in airfield or terminals or aviation security or physical security, as well as within departments such as commercial, HR or press,” Smith says.
Having a seat at the board has helped to change when information security is considered part of the conversation – previously it may have been bolted on as an afterthought, whereas now it can be considered at the beginning of any procurement decision.
“If the organisation is looking to buy a new physical security system to screen passengers or new baggage and check-in systems, you can have the conversations about the cyber aspects of operational technology at the early stages, whereas previously you would be reliant on whoever you are reporting on – in my case the [chief financial officer] – to raise those for you, and that wasn’t always at the forefront of their minds, so it’s better and easier and quicker now to get that done when you have a seat at that table,” he says.
Smith’s previous deputy has moved into the head of IT role that he left vacant, while there is also a head of information security that reports into him. As testament of how business-orientated the organisation feels that Smith is, he has also been given an additional business section reporting to him on an interim basis.
“I’ve got the motor transport section reporting to me. If I was totally techie or information security focused they wouldn’t have given me a generic department to look after in the interim. Much of this role is about managing people, and this is what I have experience of,” he says.
Smith explains that many of the cyber security tools on the market generate a lot of information, but that this then means resources are required that can make something out of this information. As he has a small team, the organisation has been careful to invest in systems that use machine learning and artificial intelligence (AI), so that there is less of a workload for staff. This includes an AI system that is monitoring the airport’s network.
Another area of interest is a virtual security operation centre (SOC) that’s run using an AI engine.
“That interests me because people in a SOC are human as well and they can miss things or situations, and there have been other organisations that have outsourced their SOCs and they’ve had events they’ve missed as a result. There’s no value in that. If the computer does the same thing all day, every day, regardless of being tired, it’s less fallible than people,” he explains.