Executive Insights – Adam Wedgbury, Head of Cybersecurity Innovation and Enterprise Security Architecture at Airbus

Executive Insights are a series of discussions with c-suite executives from a range of industries, to learn about their roles and the part that digital transformation plays within their large organisations.

It’s safe to say Airbus is a big deal. As of 2019, Airbus is the world’s largest manufacturer of industry-leading commercial aircraft, helicopters, military transports, satellites and launch vehicles. The organisation also provides data services, navigation, secure communications, urban mobility and other solutions for customers on a global scale. So how does the security team deliver on such diverse demands that are also hugely sensitive? We had the privilege of sitting down with Adam Wedgbury to explore the workings of the cybersecurity function at Airbus, and the importance of a forward-looking strategy based on cutting-edge technologies. 

Could you explain a little about your role and what you do at Airbus?

I have two roles at the moment, the first being Head of Cybersecurity Innovation and Scouting. The team develops new technologies and best practices, working with academia to understand the latest and greatest ideas and taking that knowledge and maturing it into a solution that could be used at the enterprise scale. My second role is Head of Enterprise Security Architecture, reporting to the group’s CISO. Here I am responsible for the definition of our security and technical standards and architecture design referentials; the guides for how we solve common problems and that we foresee every day, from a high level security controls approach and that we can then apply across the entire group. 

So it’s quite a large differentiator from most other teams within Airbus who are focussed on the individual business units. Airbus is quite a complicated organisation in that respect. Both teams maintain a group level approach – writing, defining and publishing these standards and patterns that are applicable to the entire group globally. They apply across the group in two dimensions – one being the organisational dimension, so Airbus Commercial Aircraft, Airbus Defence and Space, Airbus Helicopters, plus our global network of affiliates and subsidiaries. Then the second dimension is more technology focussed; clearly we have a lot of IT, we have Operational Technology, which includes our production plants and assembly lines, and finally on products and services: the things that we build across the group. It’s quite a large scope in both dimensions of where we are impacting on the business.

What trends have you seen more recently within the cyber security space? 

The trends that I could talk about really vary depending on my two roles. On the architecture side, the real trends and drivers that we have from a defence perspective is the usage of cloud technologies in a scalable and secure way. It’s no secret that Airbus is very much a G-Suite house, so many of our productivity tools are in the Google domain. We want to find ways that we can operate securely in that domain with our most sensitive information, rather than trying to maintain two environments for less sensitive and more sensitive information. So the technology, the processes and the standardisation around that is probably a key trend for us internally. 

From a slightly broader perspective and looking to the future, automated cyber defence is a key topic, from both the adversarial side and the defensive side. For a number of years now, we’ve seen adversaries using automated technologies to design malware faster and more efficiently than we, as a (cyber) industry, can design our defensive systems to combat them. We want to see if we can utilise the same sort of systems to defend ourselves against this stuff. 

You may have heard of an OODA loop, it’s a military term that stands for observe, orient, decide, act. Fundamentally, the speed at which you can go round the OODA loop is how quickly you can respond to something changing. So at the moment, the automated attackers are very much inside the OODA loop of the defenders – they are spinning much faster than we can. So we are looking at ways to turn it on its head with a defensive system, meaning we can get inside the attackers’ OODA loop so that we can react and defend more quickly than they can produce attack techniques, using similar technologies to what they’re using.

What kind of role does digital transformation play at a large organisation like Airbus?

I think it has a huge role in productivity and modernisation in general, across most of our domains. The move to Google as our main productivity suite is seen as a huge digital transformation in terms of the way we collaborate, the way we can share documents and co-author things and get access from different devices and so on. 

But I think most businesses you see today will probably say the same thing… the biggest driver of digital acceleration in the last 10 years has been Covid. The move to working from home, from a scale of less than 10,000 users working remotely to over 100,000 simultaneous remote workers has been quite the change for us. And I think we were very fortunate to already be on the transformation journey with Google at the same time, which has probably made it much easier than if we had still been much more of an on-prem house. 

What’s your approach to bringing the digital transformation agenda to life within your role? How do you go about that? 

It’s an interesting question. That’s what we do in innovation, so we start by identifying problems that we have today across the group that we can’t solve by buying something off the shelf. Then it’s all about identifying or coming up with the idea to help solve that problem, and we bring the business along with us as we mature with that technology into something that’s enterprise-ready. That’s a tough gig. 

We have colleagues in our technical corporate research function, who work in other areas that are not related to cyber, and when they come up with an idea or a solution, they can take it to Airbus to bring that into reality, because that’s what we do. When we do that for cybersecurity, it’s much more difficult because we’re not a cybersecurity company. So we have to build much more maturity into those technologies and those ideas, before we can transfer them to the business. So that’s probably where most of our effort goes. 

You said that if there is not an option to buy something off the shelf, then you’ll look to build it internally. So is that always your first port of call, to look externally, for something that can be plugged in quite easily?

It’s a lot cheaper, quicker, and safer to buy something that’s ready to go than it is to make something in-house. Making something that works at the scale of Airbus is no easy task. So if there’s something that we can buy, that’s generally the way forward. But typically that’s not always about the technology. Making the technology is often the easier part, rather than the service and the support that goes around it. We can make a widget and the budget can solve the problem. But what we can’t do is then have the user manual, the safety assurances, the support and the scale around that, and we haven’t got a whole call centre worth of people offering technical support. 

What do you think the future of cybersecurity within the aerospace industry will look like and how do you see Airbus evolving with that?

I think we are only going to see more automated cybersecurity solutions and adversaries, so more explainable Machine Learning type of systems, more adversarial, defensive and attacking techniques. 

But I think that we’ll also see a huge growth in things like secure computing and multi-party computation, homomorphic encryption, and those kinds of technologies to help us do more secure collaboration and sharing of data as the industry moves and, as with everything, is getting more complicated. I think that’s clear throughout the aerospace industry, as well as all the others. So, increased collaboration and greater access to more computing resources will be key, and doing that in a secure way.