How a motorcycle accident equates to your security program

August 29th, 2017 by Sean Smith, CISSP

“Only a biker knows why a dog sticks his head out of a car window”. ~Author Unknown
“Accidents hurt — safety doesn’t”. ~Author Unknown

I typically commute to the office every day on my motorcycle. I know, everyone is amazed that a person responsible for managing risk would ride a motorcycle, or so I’ve been told. Sometimes people think I’m a little crazy when it’s 9 degrees outside and I’m rolling in on my beloved Triumph Tiger. My SUV has a bumper sticker that says “Screw your therapy, I ride a bike”.

Because I do have a background in managing risk, I’ve applied the same techniques and processes that a good security program utilizes to my motorcycle riding. I have a defense in depth, or layers of protection, on both my bike and me. Here are just a few of the things that are in place every time I get on my bike and head out:

  • Helmet – I ALWAYS wear a helmet on anything with two wheels
  • Jacket with armor – CE rated armor in the back, shoulders and elbows
  • Gloves – riding gloves with protection for all areas of my hands
  • Riding pants with armor – CE rated armor in hips and knees
  • Riding boots – heavy duty leather work boots with steel toes
  • Engine crash guard – protects the motorcycle and puts crash protection in front of my legs
  • Bright fog lights – 2000 lumen LED fog lights so I can be seen by other motorists
  • Rear luggage – helps protect the back of my legs against a crash besides the storage
  • Bright LED brake light – to be seen by others following me

But it’s not just the equipment that helps manage that risk. I take a motorcycle safety course every two years. North Carolina provides a free safety course through Bike Safe NC (http://www.bikesafenc.com/) and I always recommend the Motorcycle Safety Foundation (https://www.msf-usa.org/) courses. I’ve attended both and learn something new every time. Good training will always pay dividends in any risk situation. Phishing e-mail training for your staff always results in better front line protection from your people.

Managing risk on a motorcycle comes down to operational awareness. You need to be in tune with your environment and evaluate your risks in real time and adjust your location in the space to account for those risks. Just like your security program needs to be able to identify risks in real time and adjust to those risks. Technology, processes, audits, human reactions, etc. are integral parts of your security program that help you manage the risk and maintain your organization’s operational awareness.

At some point, you will have an incident occur and must react to it. Monday, 8-14-2017 I was hit on my motorcycle by an 81-year-old man who was not paying any attention to his surroundings. I was locked into my lane with no place to go and literally had to slow down as much as possible and take the side swipe hit. I had slowed to 5 MPH before the hit and was thrown onto the adjoining sidewalk with my 500-lb. bike on top of me.

I was not injured because of the protective gear in place. Reporting this incident to the authorities (my spouse) was the hardest part.

My mind immediately went to why it happened and what could have been done to avoid the crash. In this instance, I needed to have a higher level of skepticism in the way the gentleman was driving before passing him. I used the same process of review/lessons learned used in our security program.

Here are the lessons that I learned from the crash that apply directly to the security program at work:

  1. People are your best asset – my stopping the bike to 5 MPH and preparation before the crash.
  2. People are your worst enemy – the gentleman told the police that he did see me.
  3. Defense in depth can stop incidents from escalating to breaches (or injuries) – layers need to be in place before an incident occurs.
  4. Defensive layers need to be enhanced or replaced once an incident occurs – apply lessons learned and replace or enhance those layers that were damaged or ineffective.
  5. After Action Reports (AAR) – always use a process to evaluate and document what happened and what changes need to occur before an incident occurs.

In this case my incident did not escalate to the level of a breach. The Defense in Depth worked.  It definitely helped say my life.  Lesson learned: You always evaluate the incident, your response to the incident, effectiveness of your controls (defensive layers) and apply those lessons learned.

Sean Smith, CISSP

About Sean Smith, CISSP

Sean E. Smith, a Senior Security and Compliance Engineer with GPM, has over 32 years of experience in information security, cybersecurity, HIPAA Privacy and Security, operational security, enterprise infrastructure and operations. At GPM, he has been responsible for infrastructure planning, installation, deployment, operations, change management and security. Also, he is responsible for the creation and operation of HIPAA Compliance, Risk Assessment, SOC Level 1 Type 2 programs which passed external auditing with No Exceptions. Prior to joining GPM, he also worked in and or founded several IT Consulting firms with a focus on small medical groups. Additionally, spent four plus years as a VP at Bank of America involved in Enterprise Architecture planning, application management and business IT integrations. Finally, he also has an intelligence background. He spent eight years in the US Navy as a Cryptologist deployed to Fast Attack submarines. Quite a ride.

We're ready to help you. Contact us today by phone at (828) 348-2888, or get in touch via our contact form.