Back to top

For cybersecurity compliance, pay attention to the safety demonstration

As the airplane prepared for takeoff, I glanced up to watch the routine safety demonstration. It’s something most travelers tune out, yet it struck me how this familiar protocol mirrors the world of cybersecurity. Both are built on clear guidance, enforced consistently and designed to protect lives — whether in the air or in the digital realm. In that moment, I saw a parallel: Just as flight safety depends on proactive planning and clear roles, effective cybersecurity hinges on preparation, awareness, and accountability.

Human behavior is the weakest and strongest link.

Airlines leave nothing to chance when it comes to safety. Every crew member is trained, and every passenger is given instructions. The same should apply to cybersecurity. Organizations need clearly documented policies and regular, meaningful training for every employee, not just the IT team.

The flight attendant on my flight was clear and consistent in applying policies and enforcing rules. This included reminding passengers of the rules through motivation and punishment. 

“You want a beverage? You had better have your seat belt on.” 

“Your carry on doesn’t fit under the seat? You’re going to check it, or you aren’t flying today.” 

She had a job to do, and it was safety first. No excuses. 

Similarly, an organization’s cyber security posture depends on user behavior. One person clicking a phishing link can open the door to an attack – even if they’ve completed the mandatory training. 

Cyber Takeaway: Foster vigilance and make secure behavior second nature.

Compliance isn't optional – It’s safety-critical.

On a flight, ignoring safety procedures has real consequences. Cybersecurity is no different. Compliance with frameworks like National Institute Standards and Technology (NIST), Cybersecurity Maturity Model Certification (CMMC), or International Organization for Standardization (ISO) isn't just about checking boxes — it's about reducing risk across your environment. 

As technologists and cyber professionals, we often fail because the enforcement is lacking the willingness to enforce. We don’t always have a clear view of the mission or the dynamic risk profile or how all the controls work -- or should work-- together to enforce policy. The authorizing official gets tired of waiting and “accepts the risks,” or the security operations center lets that one senior executive take data outside of the organizations controls so they can work on travel. We all know the workarounds.

Cyber Takeaway: Make compliance a lived behavior, not a paperwork exercise. 

Enforcement alone doesn't build security.

Policies and frameworks are essential, but enforcing rules without context can confound our business partners. Cybersecurity must go beyond mandates to educate and empower. 

Leidos combines technical expertise, situational awareness, and emotional intelligence to protect mission-critical systems. We don’t just enforce policies; we partner with organizations to adapt to evolving risks and support secure operations.

Cyber Takeaway: Combine policy enforcement with purpose-driven education.

A headshot of Josh Salmanson

Cyber compliance is not just about checking boxes — it's about creating a culture of accountability and resilience. Like a vigilant flight attendant ensuring passenger safety, we must enforce policies with clarity and consistency while empowering organizations to adapt to evolving risks. Compliance is the foundation of trust, and trust is the cornerstone of security.

Josh Salmanson
Leidos Vice President of Defensive Cyber Practice
Accountability should empower, not intimidate. 

Many organizations fear breaches not just for the damage, but for the blame. A strong cyber culture shifts that mindset. It fosters ownership without fear. Everyone should know their role: who reports, who responds, and who recovers.

Just as airlines drill for emergencies before they happen, cyber teams should simulate incidents regularly and review roles, so people feel confident, not confused, when something goes wrong.

Let’s face it — cyber professionals have a tough job. We’re not just the “Department of No” anymore. We’re enablers of secure business operations, and that means balancing toughness with partnership.

Cyber Takeaway: Make accountability clear, constructive and confidence-building.

Leidos and cybersecurity

Cybersecurity, like flying, is about more than just technology; it’s about trust, accountability, and partnership. Just as airlines undergo third-party training and flight preparedness checks, organizations should install their own systems of checks and balances to reduce blind spots and vulnerabilities.    

The Leidos approach is rooted in partnership. Through initiatives like the Accredited Testing & Evaluation Lab, we work alongside organizations to help their systems and solutions meet rigorous compliance standards. By identifying vulnerabilities, validating controls, and supporting certification efforts, we help organizations strengthen their defenses and instill confidence in their operations.

Cybersecurity is a shared responsibility, much like the collaboration between passengers and crew for flight safety. Whether safeguarding critical infrastructure or supporting secure digital transformations, Leidos is committed to supporting secure operations that drive mission success.

Learn More

Author
A headshot of Josh Salmanson
Josh Salmanson VP, Defensive Cyber Practice

Josh Salmanson is a veteran technology and cybersecurity leader with over 30 years of experience across federal, defense and intelligence sectors. As Vice President of the Leidos Defensive Cyber Practice, he drives innovation through automation, scalability and repeatable solutions to strengthen cyber defense postures. His expertise in offensive and defensive cyber operations, strategic risk management and operational resilience has been pivotal in advancing initiatives at leading organizations. Salmanson is a recognized thought leader dedicated to empowering organizations against evolving cyber threats. He is also the Chair of the WashingtonExec Cyber Council and a member of the technology advisory board for Concurrent Technologies.  

Posted

July 8, 2025

ESTIMATED READ TIME