How Data Security Makes Flying Fearless

Rich Licato uses education and awareness to keep sensitive information safe at the Airlines Reporting Corporation

If you’ve purchased a plane ticket online through a third-party outlet like Expedia, Travelocity, or your neighborhood travel agency, Airlines Reporting Corporation (ARC) is the company that settles the transaction between you and your ticket-seller. The company has been serving airlines, travel agencies, and other related travel services for more than thirty years. Today, its data warehouse holds 60 percent of all of the world’s ticket transactions.

With high volumes of data being processed every day, ARC needs someone like Rich Licato. As the company’s chief information security officer, Licato’s top priority is to protect ARC’s data and to stop cybercriminals from stealing sensitive information. In fact, throughout his career, he has been a leader in raising awareness for data protection. Prior to joining ARC, Licato managed information systems for federal home loan lender Fannie Mae for nearly seventeen years, including a stint where he advised the Hong Kong Monetary Authority. Now, he is at the helm of information security in an even more specialized industry.

What does the role of chief information security officer at ARC entail?

ARC is an airline-owned company, and we accredit travel agents in the United States and handle back-end ticket settlements. There are two ways to buy an air ticket: you can go directly to an airline’s site or an online or local travel agent. All payments outside of the airline’s website come through us.

We make money in two different ways: through fees associated with airline agency transactions and through providing data and analytical tools to our customers to help them make fact-based decisions. My role as chief of information security is to protect our data, systems, and premises at all times.

What types of events do you work to avoid?

There could be a data incident, where someone has access to our information that shouldn’t, or a service disruption. People do this in a lot of malicious ways, like someone trying to shut down your website or interfere with a communication source.

I’ve always stood up for protecting data. I’ve implemented programs from the ground up or reset departments when they have a broken infrastructure. I’ve done that in several different roles, whether it involves enterprise architecture, information security, or risk management. In each, it’s all about taking stock of what you’re doing at the moment, doing some analysis, and then executing a vision to make a positive change.

How do you stay on top of all these risks?

The best way to keep up to date involves reading current security publications, newsfeeds, and blogs; talking with colleagues; and meeting with other CISOs to hear about their challenges. There are also information-sharing organizations called ISACs, or information sharing and analysis centers, and we subscribe to two of them: one for financial services and another for the aviation industry. They give real-time updates of what people are experiencing and how to avoid attacks.

What are some challenges you’ve encountered in your role?

The threats are ever-changing. We’ve seen a huge explosion in ransomware within the past year, where someone can hold up your business at any moment. There’s also targeted spear-phishing, which pinpoints specific business executives and tries to manipulate them to compromise the organization. It’s easy to become fatigued in keeping up with these programs and how they change, so building awareness is always difficult.

What did you learn from working and living in Hong Kong?

I learned how companies and organizations are built from the ground up and to always look at the big picture. When I arrived in Hong Kong, our goal was to build a new organization—the Hong Kong Mortgage Corporation—for the country’s government. The business provided a secondary mortgage market to its citizens, which was previously unavailable. I was there to advise them from a technology perspective, but there was much more to consider. We started with two employees and no business model or building, so we had to start from scratch. When I left a year later, it had everything it needed: a great location, set of employees, technology, etc.

I had to understand all aspects of the business and was involved daily with legal, finance, human resources, and operations. It was something I took with me to future positions.

I enjoyed learning about the numerous cultures based in Hong Kong and did every touristy thing possible. I also learned how to properly use chopsticks, which was useful.

What was ARC’s culture like before your arrival?

Luckily, the culture was security-aware when I came, but it was narrowly focused. It was only concerned with credit card information. We had to identify other sensitive information we might have beyond that. I think informing the organization of this possibility caused a cultural shift. Now, we are very security-aware and focus on all sensitive information.

How can you best protect ARC and its people?

The best way is through education. Our employees are the first and last line of defense, and their perseverance will help us succeed in any situation. To do that, I need to always be conscious of where the company stands, its goals and visions, and how the threats are changing. Then, we can adjust our cultural makeup to match any alterations. It’s kind of like playing a cat-and-mouse game with your adversaries, but it’s important to take the process seriously, or we could be in a tough situation.

What are some of your proudest achievements at ARC, and what are your goals for the future?

I’m very proud of the risk management program we have implemented and our ISO27001 certification, especially since we’ve maintained that since 2013. When I first arrived at ARC, only a few employees made up the security organization with limited services, and we have fifteen or so now. Both of those achievements will help us preserve and continuously upgrade our program over time. We’re concentrating on doing much more improvement and moving services to the cloud in 2017. Everyone at ARC will make that possible, not just my team.

What makes you passionate about your job?

I’m responsible for making sure nothing bad happens. I enjoy working to succeed in that mission, and it makes me passionate for what I do. It’s a challenge, but I strive to provide an important service with my responsibility.