To view older blog posts, please visit the archives section.

Airplanes?

I’m an aviation nerd—I spend hours listening to air traffic control (ATC) communications and learning about how airplanes interact. I’m never going to be a pilot; I just deeply appreciate that world.

The aviation industry has faced countless challenges over the years. Sometimes, issues are clear-cut, with human error being the obvious culprit. Other times, extensive investigations are needed, and occasionally, the true cause remains a mystery. To me, this complexity is fascinating.

One key insight from aviation incident reports is that accidents rarely happen in isolation. It’s seldom a single failure that causes a crash; more often, it’s a cascade of errors that eventually aligns, sometimes starting with a detail so small it’s heartbreaking to consider.

The Swiss Cheese Model

Explaining the cascading effect of failures can be tough, which is why aviation experts use the Swiss cheese model as a metaphor. Imagine a block of Swiss cheese—full of holes, yet it’s rare for a hole to span the entire block. If you slice the cheese and shuffle the pieces, the holes rarely align. However, given enough time, they eventually do, creating a clear path through the cheese.

In aviation, that alignment can lead to tragic outcomes. In IT security, a similar alignment of factors can result in data breaches, system outages, or other severe incidents.

Debunking the "Single Vulnerability" Myth

Some might argue, “A single CVSS 10 vulnerability can bring a business to its knees!” To that I say: mostly, no.

Let’s consider a worst-case scenario: a newly published vulnerability that allows unauthenticated remote code execution in the IP implementation of a popular operating system. This critical flaw would generally be described as a doomsday scenario. Stop and ask yourself what it would take to truly cripple your business:

• Operating System in Use: You must be running the vulnerable OS.

• Exposure: Some machines are directly connected to the open internet.

• Exploit Conditions: The precise conditions required for the exploit are met.

• Network Architecture: Your network lacks segmentation, leaving systems interconnected.

• Critical Services: Key external servers provide essential functions that cannot afford downtime.

• Operational Constraints: You have limited ability to take machines offline for maintenance.

Only when all these factors align—a total of six layers in our Swiss cheese model—does your business face a real major threat. A single layer presenting a situation in your favour, such as improved network segmentation, could buy valuable time or, if lucky, prevent exploitation altogether.

Lessons for the Security Industry

The main takeaway is that it takes a convergence of multiple factors for a vulnerability to wreak havoc. Preventive measures—whether best practices or security appliances—are essential. However, even the strongest defenses can be undermined if the holes in the cheese line up.

Ask yourself:

• Can your security team detect and understand the vulnerability in time?

• Do your leaders have the capacity to handle a crisis when it emerges?

• Have you cultivated a security-minded culture that empowers rapid and effective action?

The past does not guarantee the future. Just because your history appears strong doesn’t mean your defenses are immune to the eventual alignment of failures.

By learning from aviation, the security industry can appreciate that a robust defense relies on multiple, well-maintained layers. Each layer is a safeguard against potential threats, but if all fail simultaneously, even the best system can be compromised.

In the end, yes, a CVSS 10 vulnerability is a threat. But rarely will it single-handedly bring your business down if care was taken in implementing preventive measures in your various practices.