On today’s special episode of the New CISO podcast, Steve Moore chats with Deneen DeFiore of United Airlines, Colin Anderson of Levi Strauss & Co. and Charlie McNerney of Expedia on what it’s been like as a CISO during the pandemic.
COVID and the Airline Industry
Deneen begins by discussing how she became the CISO for United Airlines right as COVID hit. When the pandemic reached the US, there was a lot of fear that the airline would not make it. Because of this additional stress, Deneen focused in on what the priorities were from a business stand point. She touches on how her team had to juggle the increase of cyber criminals and threat actors, as well as maintaining the business and transition to telework. This amalgamation of challenges made her really assess what’s the most bang for your buck in terms of security – especially when the business is tightening its budget already to survive the pandemic.
In terms of technology, Deneen and her team had to ask themselves what technology will help and protect the business right now and what can they put on hold. The incredible plans they had for the future had to be pushed back and implemented at a later date.
Adjustment for the Airline Industry
Like Deneen, Charlie is in the travel business, and speaks on how the change wasn’t gradual but rather sudden. Expedia had to adjust quickly, which was taxing from a digital and physical perspective. He says they had to focus on the most important questions: how do you take care of the employees as well as the travelers? In addition, how much self-care do you have for your system? Like every other business, Expedia’s initial plans had to go out the window. Then, they had to develop new plans and implement them in an effective manner.
In terms of the future, Charlie points to the new catchphrase: there was a lot of perspiration to shut everything down, but there’s also a lot of aspiration to open up again.
Opportunity in the time of COVID
Colin discusses how, while they experienced a dramatic decline in revenue, Levi’s thought they could innovate and come out of the pandemic better than before. The challenges they have faced have forced creativity and technology to evolve. While revenue is still hurting, they’re investing in the future. This situation has forced them to do 2 years of change in a 6-month period. Overall, he feels these past few months have been challenging but exciting.
Priorities for 2021
Going into 2021, Deneen and her team are focused on safety and less interaction. They are coming up with a system that keeps everyone save by using more online measures, biometrics, and new technologies. Unlike before, they now need to collect more health data, and find themselves with a greater dependency on digitization and automation. Biometrics, for example, is a technology that used to be a nice thing to have, a bonus element. Now, however, it’s a necessity. Listen to the episode to hear more about how they’re streamlining their process and expanding Clear.
Updates during COVID
Colin and his team used lockdown as an opportunity to update software and hardware that they’ve been wanting to but would’ve been too disruptive under normal circumstances. Because of this, they were able to push forward new solutions. Historically, the security budget was focused on enterprise security, with a small portion carved out for product security. Now, that’s flipped. Listen to the episode to hear more about Colin’s perspective.
Colin also discusses the importance of protecting the consumer and protecting the trust between the enterprise and the consumer, especially for a consumer facing business. He also touches on how to maintain trust with the customer, as well as placing yourself in the position of the attacker in order to better combat threats.
Perspective on Risk
Deneen relays how she and her team are altering their view and approach to risk. She believes the industry must move to a dynamic view of security. A security team can’t just check off the boxes and pass a test, they need to be constantly updating and evolving. She also believes that organizations need to do a better job integrating intelligence from all different sources. Listen to the episode to hear more about how she thinks the industry needs to evolve.
Third Party Risk and Increasing Issues
All three guests speak on mitigating third party risks through universal participation and cooperation. Not only do customers have to understand risk, so do the employees. They believe that CISOs need to focus on supply chain to help mitigate third-party risks. Charlie has had partners compromised and because of this, they have had to cut off access to data. He says it’s challenging but the business understands it because the number one priority is to protect the company, employees, and customers.
The issue, as they deliberate, is that every large company has hundreds of thousands of suppliers, which makes them more vulnerable. Each partner has a different risk and different impact to the enterprise. The guests also talk about their worries over API attacks. Deneen points out that they’re not always a detectable kind of issue because the developer only displayed what they need to on the front end, without showing the back-end data. She also emphasizes the backlog of vulnerabilities, as attackers are pivoting to something already out there because its low hanging fruit.
They conclude this segment by pointing out that the solution to increasing risk is talent. They believe that talent solves so many problems. As a leader, your job is to remove the roadblocks so that your team can perform well. Colin feels that you should find incredibly passionate, talented people and should invest in them and support them. Listen to the episode to hear more about the increasing risks the guests believe every CISO should be aware of.
Ownerships of Risk
Charlie iterates the importance of a healthy environment. He believes that risk is not just the security team’s responsibility, but rather trying to relay the message that everyone needs to be involved in the risk profile of the company. Once more people feel like it’s part of their responsibility, the less breeches you’ll have. He tells the story of how a chairman and a security guard practiced safe security protocols.
Employee Retention and the Mission
Deneen speaks on the specifics of the aviation industry—not only the uniqueness of the risk profile but also how it’s impacted the world. She has spent over half her career in the aviation industry and what’s she’s observed over those years and what has been exaggerated since the pandemic is that the people who stayed are the ones who want to push the industry forward and are the ones connected to the mission of helping the world.
Empathy as a Leader
Lastly, Colin touches on how empathy is key to being a leader. He believes that the human element will always be number one. The leader’s number one job is to find talent, curate that talent, and help it grow and improve. he gets so excited when he sees the success of his team and believes that communication skills and the soft skills are really important to getting the job done.