In this episode of CBTS Tech Talk, Inside the CISO’s Office host John Bruggeman engages with Deneen DeFiore, the VP and CISO of United Airlines. DeFiore discusses advancements in technology and how they have helped in cybersecurity and also highlights the challenges cybersecurity professionals face due to the large attack surface and the creativity of threat actors. The conversation also touches on the challenges faced by women in cybersecurity and the need for representation and sponsorship to promote diversity.
As cybersecurity technology advances, the attack surface continues to expand, sometimes exponentially. Managing the entire threat landscape is challenging for even the most seasoned security teams. Deneen related that despite advances in security technology, “it’s still an asymmetric advantage for the threat actor,” due to the sheer volume and scope of the environments, devices, and third-party connections that security teams must manage.
“…[The] attack surface is very large,” she said, “and it continues to extend outside of a company’s perimeters to third parties or nth parties to trusted partners to consumers or whatever. Trying to get your arms around that is not an easy thing to do. And a threat actor only has to find one little loophole in the whole entire ecosystem, and they’re in.
“I think technology has given us a good advantage to get visibility into what normal should look like,” she added, “and now attackers have to work a little bit harder, but they are. They’re getting more creative and taking advantage of things we wouldn’t traditionally think of as cyberattacks. Basic features in systems [are being turned into attacks].”
John noted that these attacks are more than simply a denial of service and added that threat actors utilize increasingly complex social engineering schemes, malware campaigns, and ransomware attacks, powered up with automation and AI tools.
A primary challenge for cybersecurity professionals is gaining visibility into complex heterogeneous environments, particularly with mergers and acquisitions. Companies may not have complete visibility into merged environments. Deneen recommends inventorying digital assets regularly. As John put it, “If you don’t know where the data’s stored, it’s going to be hard to protect it and really hard to preserve the privacy of your customers.”
Our experts also talked through micro-segmentation, the zero trust security practice of segregating networks to minimize the damage of a successful data breach. Deneen said, “I think we probably, as cybersecurity professionals, need to change our thinking about [micro-segmentation]. We’ve done a lot of zoning in on test versus prod environments or types of data, and that’s good. We have to do that, but that’s not the end-all-be-all. Because data protection is one thing, resiliency is another. So, micro-segmentation in a resilient lens, and looking at how the operations use the systems and segmenting that way is something I think organizations need to consider.”
Deneen also emphasized that each business is different, and every security fabric will look significantly different based on a company’s goals and acceptable network downtimes. “It’s also a point to make sure that you understand, again, what outcomes and how you’re trying to achieve as an organization and how your business operates. Because data protection could be number one for somebody, and resiliency could be number one for somebody else. Those strategies and tools and how you approach things need to be thought of in the context of what you are trying to achieve as a business.”
…something that we have to do to make sure that everybody is aware that cybersecurity is a team sport.
Deneen outlined three critical areas of risk to appreciate in cybersecurity:
Deneen talked about compliance management at United in the context of the Ukraine-Russia conflict. “When things like that happen, there’s always a regulatory response around [them]. We need to make sure cybersecurity is really, really strong in aviation. So, we like to make sure that we are plugged into the industry groups, the policymaking, and rulemaking, providing our comments and also educating the regulators on what we do and how we run the airline; how we manage technology risk, not only from my team’s perspective as a cybersecurity organization, but how that’s delegated; responsibility and awareness as well into the operation, so as people are doing their jobs, they can identify the information around a threat or around a risk, and then raise their hand and say, ‘Hey, we need to think about this,’ or, ‘I want you to consider this.’ It’s an interesting journey, but it’s something that we have to do to make sure that everybody is aware that cybersecurity is a team sport.”
United Airlines must securely manage hundreds of thousands of employee devices, including the electronic flight bags (EFB) that help pilots manage navigation and flight plans. Deneen emphasized the importance of annual cybersecurity compliance training, regular newsletters, and phishing exercises—the “basic table stakes” of managing the attack surface.
However, she added that it is important to move beyond the basics. “But what we also do is look for ways to integrate into the operations, how people do work,” she said. “So, for instance, flight attendants have to train for several months before they actually get to fly, so as they’re doing their training—learning to use their what we call link device, their in-flight mobile device—what are the tips that they need to do to make sure that they are handling that device securely, using the application securely? And we do that in five-minute blurbs, so it’s not like they’re sitting down for cybersecurity training. It’s, ‘Oh, by the way, you need to use this app to [check who’s on the plane].’ Or do passenger reconciliation or whatever it is.”
Also read: How integrated cloud security affects your bottom line
John and Deneen then addressed artificial intelligence, with their takes on ChatGPT. John volunteered that he is “not a huge fan of calling it artificial ‘intelligence’ because I don’t really feel that it’s intelligence. I actually started to use the term ‘an expert system’ because they’ve taken just a large language model, and you can ask it a question, and then it will read its index of words that it’s put together and their order.”
“I think it is a gamechanger for a lot of different use cases,” Deneen noted and continued with the example of a customer service contact center. “There is a lot of efficiency and productivity that an organization can gain as well as enhancing the customer experience to make it a lot more delightful than having to wait on a phone for four hours when you can get an answer very quickly based on an approach that an organization wants to take.”
She noted that the all the possible use cases and questions around using AI come down to being responsible, adding, “You can do it, but should you do it? Privacy, transparency, equity, fairness…it’s a lot bigger than people realize, and we have to think about how we want to use this responsibly.”
After Deneen described challenges she has encountered advancing in the mostly-male dominated field of cybersecurity, Lance asked her to share advice to girls and young women who are thinking about a career in technology.
“If you’re passionate, you’re smart, you will succeed,” said Deneen. “Don’t let anybody tell you you won’t. I mean, absolutely not. Make sure that you have that belief in yourself and really, really stick to your guns. It’s hard to do, but [you have to have somebody who’s backing you up]. If it’s your parents or a friend or a sponsor or whatever, you have to make sure that it comes from in here (touches heart). That’s the biggest thing. Nobody else is going to do it for you except for you.”
In addition to keeping our followers and clients up-to-date on the latest industry information and thought leadership through conversations with experts like Deneen Fiore, CBTS provides the up-to-the-minute threat intelligence that your organization needs to stay ahead of threat actors, the insight and experience to help you understand your environment, and the expertise to help you manage the compliance landscape.
CBTS firmly upholds the idea that connectivity has the potential to transform lives, and we believe that our connections become stronger when we embrace the diversity present in our employees, customers, and shareholders. We pledge to implement diversity and inclusion initiatives that align with our organizational values, such as forward-thinking recruitment policies and fostering talent development.
Get in touch to learn more.