Afternoon Cyber Tea with Ann Johnson 1.23.24
Ep 89 | 1.23.24

Cybersecurity at 35,000 Feet


Ann Johnson: Welcome to Afternoon Cyber Tea where we explore the intersection of innovation and cybersecurity. I'm your host Ann Johnson. From the frontlines of digital defense to groundbreaking advancements shaping our digital future, we will bring you the latest insights, expert interviews, and captivating stories to stay one step ahead. [ Music ] Today I am joined by Deneen DeFiore, Vice President and Chief Information Security Officer at United Airlines. Deneen is an accomplished technology and risk management executive with experience across multiple critical infrastructure sectors. She has developed expertise in advising global companies and their most senior executives on technology, cybersecurity, compliance, and digital risk-related decisions related to products, services, significant initiatives, and ongoing operations. At United, Deneen is responsible for the leading of the cybersecurity organization to ensure the company is prepared to prevent, detect, and respond to evolving cyber threats as well as commercial aviation cyber safety risk initiatives and improving cyber resilience across the aviation ecosystem as the chairperson of the Aviation Information and Sharing and Analysis Center, A-ISAC. What's more, Deneen is passionate about diversity in tech and promoting STEM education. Welcome to Afternoon Cyber Tea, Deneen.

Deneen DeFiore: Thanks, Ann. It's great to be here.

Ann Johnson: So you have a really interesting background. I understand you studied biology in university, which is unique for someone who made a career in cyber, so I'd love for the audience to understand how you've made your way all the way from biology to being CISO of one of the world's leading airlines.

Deneen DeFiore: Sure. I like to think of my technology journey as being at the right time at the right place and a little bit of luck as well, too, and a lot of hard work. I won't discredit that, but I started, as you mentioned, studying biology at the university and thought I would have a career in probably operations management at a hospital setting or healthcare facility, and during my graduate studies, we were going through some technology transformations, and throughout that process, I discovered that I really liked being on that end of the business, looking at the processes and the technology and how it could help us be better and more effective and efficient. So through that, I got into technology, so made a transition to tech first. Through that experience, I had different jobs, not only in health care, but took a chance and said if I could do this in health care, I could probably do this in another industry. Got a job at GE Aviation back in the day and that's how I started out in the aviation space. I did switch around careers. I had career paths. I had different jobs in infrastructure disciplines, middleware, ERP, things like that, and then I was -- worked my way up to be a CIO of one of our business units. We had experienced an incident, a cyber incident, and that was one of the first kind of exposures to, I'll say, cybersecurity that I had, and through that process, and that was a little while back now, now that I think about it, but through that experience, it really opened my eyes to different aspects of technology around how cybersecurity enables business processes and has implications way far more reaching than I ever imagined, and doing that really energized me and I ran with it and never looked back. So the rest of my career has been in cybersecurity since that.

Ann Johnson: That's just absolutely fascinating, and I know I talk to a lot of folks that actually their first exposure to cyber was some type of breach or event and then they said, "Wow, this is incredibly compelling work and I want to stay." So, welcome. You know, air travel is one of those things that most people just expect to work, right? When you walk in your house and turn on the lights, you expect them to come on. When you get on a plane, you expect to go where you're going on time, safely, etc., but it's really complex. The operations that go on behind the scenes, there's a lot of security, both physical and cyber considerations. Can you tell us a little more about the scope and scale of security and aviation and what that means for your role at United?

Deneen DeFiore: Sure. Yeah, air travel is amazing, when you think about it, the technology, not just the digital technology, but the ability and resiliency of the whole system is amazing. So from getting safely to point A to point B, there's a lot that needs to go on. At United, if you think about it, we are one of the largest commercial airlines. We're actually the world's largest airline now in -- measured by available seat miles. We've got about over 800 planes in our fleet, in our mainline fleet, and over 500 in our regional fleet, and if you're following the news, lots of airlines are adding to their fleet. We'll have about 700 new aircraft introduced to our fleet by 2032. So this historic unprecedented growth is amazing and it's amazing to be part of that journey here at United. But as that growth occurs, scope and complexity of digital risk increases as well, too. So what we do and my team does at United is really take a look at cybersecurity and digital risk management across that entire ecosystem and the whole business portfolio. So you think about our internal and operation systems, our customer technology, our planes, even, that we provide cybersecurity compliance and engineering for airworthiness requirements to also being a part of that collective defense and risk management in the aviation ecosystem. So scope is really kind of the whole business portfolio at the airline, and if you think about it, there's really that cybersecurity and digital risk management aspect in every part of the travel experience in the operation.

Ann Johnson: That's incredible, and I know that complexity and the reliance not just on yourself, but on the aviation ecosystem, including government entities globally, is kind of mindboggling to me, right? Because it's so complex and it lends, I know, to your work in the Aviation ISAC, which you're -- where you help the entire industry move forward. Can you talk a little bit about the priorities of the ISAC, and what challenges and concerns do the leaders you talk to, your peers, in the ISAC have?

Deneen DeFiore: Yeah, so we have a great trusted community within the Aviation ISAC, and I've been part of it since we started about, I think, eight or nine years ago now. The top priorities that we really focus on, again, number one is creating that trusted community, making sure that we have the mechanisms for effective and reliable and trusted intelligence in threat sharing so that we can collectively defend and protect the ecosystem. So we're really trying to make sure that we are building that community out with the tools and processes and our relationships that we deem to be important to us. The other thing is a very focus on the supply chain and ecosystem. If you think about air travel, again, it's a little unique, as we operate in many, many different locations. Our assets, our planes can be in New York and then six to seven hours be in London later, so we have to think about how do we make sure that we understand how we work within that ecosystem collectively given the nature of travel, how mobile and how complex and diverse it is. So we really focus on supply chain and building strong relationships with our suppliers to help them become more secure. And then, even though the Aviation ISAC isn't a regulatory lobbying agency, we do stay connected with our government partners as sharing intelligence as well as working with them to make sure that they are part of that collective defense as well, and that's not only in the U.S., it's globally. So the aviation is -- ISAC is a global organization. We really take that into consideration as we develop our approaches and priorities.

Ann Johnson: Yeah, the ISACs all do such great work with intelligence sharing amongst themselves, but also with global governments, and it's something that, as an industry, has matured a lot and is really driven, you know, the ISACs have really driven that information-sharing paradigm, and credit to all of you for that because I know it's all so very complex about how you share who you share with and the confidentiality of it. The complexity of your industry is something that we think about a lot when we think about just the current landscape in cyber, right? You have fliers, but you also have all of this infrastructure that you have to keep secure, including the technology on the plane, and so when you think about technology and you think about the current landscape and you think about your industry, what are you excited about? What are you thinking that could be really revolutionary for you? And then, you know, I hate the question "What keeps you up at night?" But what keeps you up at night?

Deneen DeFiore: Sure, yeah, there are so many innovations happening within the aviation sector, and I'll just probably give you two examples. I think about generative AI, that I'm very excited about, that we can use, everything to make your customer experience be more safe and effective by using that technology to personalization around your experience based on dynamic changes that are happening to you that moment. If it's a regular operations concerning a weather event or a delay or whatever, using generative AI to help that get you the most efficient, effective, and safe customer journey. So those are really exciting things, but there's also a lot of risks that go around with that as being a technology that is new that needs to be responsibly implemented and understanding the ways that it could be exploited or misused or abused as well, too. So we're putting a lot of focus on that right now. But in terms of how we think about technology, and especially in the lens of digital risk management, we always think about it -- I have a three-pronged approach, right? Always think about technology in terms of safety first, right? And that's basically a tenet of the table stakes for the aviation industry. So making sure that we have cyber safety built into our approach to technology, implementation, design, development, and operations, resiliency as well, too, because you know as a traveler that if there's a five-minute delay, that could definitely translate to much broader implications across not only your experience, but the network going forward. So we think about how technology needs to be resilient and be able to bounce back and get to stable operations. And then, of course, we think about technology from the security perspective and making sure that we have our data and our assets protected at all times.

Ann Johnson: And that's a lot. When you think about the complexity of your industry, I know all industries have their own complexity, right, but yours seems incredibly unique, and then you layer on that the new role of CISOs, actually, a newer role that's an upper end, CISOs having to go into the boardroom and translate really complex issues into risk in terms of the board will actually understand and be really talking in business-speak. I know you have a point of view on this. So how do you talk to your board, and how do you advise your fellow CISOs or aspiring security leaders of how they have to navigate this new paradigm of the boardroom and having risk-based conversations?

Deneen DeFiore: Yeah, I think that's such an important skill set to develop as a cybersecurity professional and executive leading those risk conversations. The way I talk to my board and my business leaders is in terms of, you know, everyone says business-speak, but what does that really mean? It's really understanding the outcomes we're trying to drive and the priorities of the airline. So, you know, if it's about the growth that we want to achieve or the customer engagement priorities that we have or the safety objectives that we have, how does the work that I'm doing impact those business priorities and objectives. So always trying to frame that in a way that is tying back to those higher-level concepts. The board, even though they may care about how many vulnerabilities you have, they don't, right? They care about your identifying risk or vulnerability, how fast you're able to do that and remediate it, and then the impact of what that means, you know, if you were -- it's an impact on resiliency or safety or even compliance. So really framing the work that you do in terms of those outcomes is so important. So that's the approach I take and the advice that I give to leaders as they are on that journey to have that seat at the table or build that trusted relationship with their board and executives.

Ann Johnson: I think that's really good advice, the focusing on outcomes as opposed to actually even programmatic security things, and what you're trying to drive and how you're keeping the organization safe are words that everyone can understand. So that business-speak and speaking of risk, because the board -- the board's job is risk. Great advice. Can we pivot a little bit and talk about skills in cyber? You know, there's this talent shortage. Nobody can hire fast enough. We're hiring folks and needing to train them, which is fine, right, for certain roles, but how do we need to think differently about people who might be turned off by the security industry because we talk in this weird vernacular and we use a lot of acronyms and they don't feel qualified, and how do you think about talent and skilling and bringing in the right folks and getting them up to speed?

Deneen DeFiore: Yeah, so I think you alluded to this, right? We can't hire our way out of, I'll say, cybersecurity job shortage right now. We have to change the way we look at this, and my philosophy is really integrating and delegating cybersecurity risk and management into everybody's day-to-day. So how does a flight attendant or a pilot or a ramp operations worker or a customer service worker, what do they need to be aware of and what activities, policies, operating procedures that they can perform to help our overall airline be safe and secure? So really thinking about integrating those activities in a day-to-day perspective and making it real for everyone at the airline. So I think that's a philosophy I have, and we're really trying to push that last year and this year, and we'll continue on that journey to help us, because there's way too much for us to tackle alone as a cybersecurity organization. But the other point you made around the kind of, I'll say, stereotypes and vernacular and, I'll say, the kind of mystique we put around cybersecurity, we really have to break those barriers down, and, you know, it's not used language that everybody can understand. Even the terms that we use in terms of like "kill chain" or "cyber ninja," or whatever it is, those are okay, but that doesn't relate to everybody. So taking people that have maybe a supply chain background, they're managing supplier risk maybe from an operations or financial or quality perspective, showing them that they have skills that can help us do cyber risk management for our supply chain, and not using those highly technical or militaristic terms gives them an understanding that they can help, right, and they fit in as well, too. So we're trying to make sure that we have an inclusive look at how we even talk about cybersecurity. You know, another example is, we don't say, like, as I communicate to the general folks in the airline, we don't say "cybersecurity." We say "cyber safety" because that's everything that is so relatable to everybody in the airline. They understand safety, so when we talk about what we need to do from a cybersecurity risk management perspective, we talk about cyber safety, and that just helps break down the barriers to make people feel like it's something that they can help with and they can do and they can have a place and contribute to our posture.

Ann Johnson: I love that, and when you think about your industry, safety is so important, so everyone understands that language, and I do think that one of the things we have to do is create a culture of cyber so that everyone knows it's their job but also speak in language that they actually understand, and we can do that. It's work, but we can do it, and again, eliminating all that mystique. You know, we're not as special as we think we are, just like any other industry, and making sure we really are open and helping people get in as opposed to keeping them out. So we talked about bringing people in and how we talked about —-, and you touched a little about retention of talent is a really big issue. How do you think within your organization about talent development and retention and what leaders should be doing differently?

Deneen DeFiore: Yeah, so we're really focusing on making sure that we have continuous development in terms of understanding the airline. So as people come into the organization, and also as people continue on their career journey at United Airlines, that they are understanding and exposed to different parts of the business. So, you know, making sure that we go to an airport or spend time in the hangar or we do a visit to a customer service center so they understand what they're protecting, and that gives them a sense of connection and understanding that they can contribute. It's not just a cybersecurity job. It's really contributing to the overall success of the airline. So we do things on that level. We also have a training and development policy where we actually allocate specific set amounts of time and funding to each person each year to make sure that they are staying relevant and up to date on the skills that will help them do their job and also grow in and get to a place where they may want to be where they aren't right now. So we do those types of things as well. And then also the last kind of tenant in that strategy is around leadership and development. So again, the soft skills around building trusted relationships. And then also communicating is such a key part of our job because, as we talked about earlier, we have complex issues. We have highly technical things that we're trying to translate into concepts that everybody understands, so making sure that everyone in the organization has the skills and knowledge to be able to do that and the tool set that backs them up to be successful. So that's how we're approaching the training, development, and leading to retention. So it's not just when you come in, but it's on your career path journey at United.

Ann Johnson: I think that's really good advice for the audience. One other thing when we think about cybersecurity as an industry, I often say that our industry has to be as diverse as the problems we are trying to solve. I know you're also very passionate about creating, you know, a more diverse workforce, STEM education for women who tend to drop out earlier, and the industry has actually made some meaningful progress over the past several years, but why do you think it's important, and what advice do you give your peer leaders who have an ambition to make sure the industry is welcoming for anyone who wants to be in the industry?

Deneen DeFiore: Yeah, it is very important, and I've said this before, and I know a lot of people share this opinion, but, you know, if you have diverse backgrounds, experience, thought, you get a better outcome. It's kind of an analogy. When you look at -- if everyone's the same, and if you're looking at a document or a PowerPoint or something and you've seen it 17 times and everybody else thinks the same way, you're not going to catch that error or a different way of thinking. When you have that diversity, someone's going to ask the question, even if they're tough questions, and it's going to lead to a better outcome. So I think it's really, really important for us to make sure that we have people from different backgrounds, different styles of working, different thought processes, and we get a better outcome in cyber. So as I translate that into how we do that, it's casting a wider net when we're thinking about what skills and qualifications can be considered for different roles. How do we create a program and a pathway into our organization that allows folks to do that? So we have launched a program called "Innovate," and there's a cyber track where it's not only for entry-level professionals or folks that may not have a cybersecurity background. It's also for folks that want a mid-career transition, and we bring them into this Innovate program and we build the training and knowledge, but we also give them exposure to the airline, different domains of cyber, so they can start to see where they might contribute and fit in and feel the most comfortable, and that leads to career path and a position. So we're trying to look at the widest net, and if there's a flight attendant that wants to get into cyber, this is a way that they can do that.

Ann Johnson: That's fantastic. I love the fact that you're thinking about -- innovatively about career paths and giving advice to your peers on how to do that because we have to stop looking at, oh, you don't have a degree in computer science, or you don't have a network security background, or you're not a policy person. We have to open up the path for anyone. Well, Deneen, I'm a cyber optimist. So first, I want to thank you for chatting with me today, and being an optimist in this industry means that I'm always thinking about the future and thinking about that we are one step ahead of the attackers. For every event you hear in the news, there's thousands that I know you and your peers have blocked. What is your perspective as we wrap? Why are you optimistic about the future, and what is your perspective on how we can continue to come together and defend the digital world?

Deneen DeFiore: Great. Yeah, I think I'm an optimist as well, too, and I think it's exciting to me to see technology innovation happening alongside the recognition that cyber risk management is a key to any of those technological successes. If you look at some of the things that we're talking about, AI and gen AI, there's a real recognition that it has to be used responsibly. I don't think five years ago, seven years ago we would have said that as a first thing to come out, and not that I'm saying -- I'm not propagating or promoting regulatory actions, because that could be a whole other conversation, but also the policy world is trying to be proactive in addressing some of these risks so we're not in a place that we have to kind of dig ourselves out from, and we can help shape the right way to implement those as well, too. So I'm optimistic that as digital gets embedded in everything that we do as day-to-day as a society that cyber is bubbling up as one of those top things to consider and manage, because we know it's important, and it will be better if we do have a collective defense and protection strategy. So, you know, I think that's a great thing, and we'll -- you know, I mentioned policy, but I do think the policy and regulation, if we continue to work on the relationships between private companies and the government sectors, that we can do some really, really good things, right, and we can come to a place where policy is actually managing risks and reducing our risk versus being a compliance exercise. So I think that's there, and I'm optimistic about that because I come from an aviation -- I spent most of my career in an aviation setting, and you can see, when you do it right, the incidence of accidents and events, safety increases, and I think we'll have that cyber safety increase if we do it right together as well, too.

Ann Johnson: That's wonderful, and I agree completely. Thank you so much for joining me today, Deneen. It was a pleasure to have you on.

Deneen DeFiore: Well, thanks for having me. It was great to talk to you.

Ann Johnson: And many thanks to our audience. Join us next time on Afternoon Cyber Tea. [ Music ] I invited Deneen to join us on Afternoon Cyber Tea because she is such a strong industry leader. She has amazing perspective. She works in a very complex part of the industry, and she really has valuable insight for everyone who's in cybersecurity leadership. So I welcomed the conversation and it was absolutely fantastic.