United Airlines CISO Deneen DeFiore on elevating cyber’s value to the business

Deneen DeFiore is a Hall of Fame technology executive who currently serves as vice president and chief information security officer at United Airlines, where she leads the cybersecurity and digital risk organization to ensure the company is prepared to prevent, detect, and respond to evolving cyber threats. She also leads initiatives on commercial aviation cyber safety risk and improving cyber resilience across the global aviation ecosystem.

When we spoke for a recent episode of the Tech Whisperers podcast, DeFiore covered a lot of ground, delving into the complexities of the CISO role, the tricky balancing act required to manage the day-to-day, and the leadership skills it takes to be successful in this profession. Afterwards, we spent some more time focused specifically on her communication playbook and how she shapes the narrative around cyber and its value to the business. What follows is that conversation, edited for length and clarity.

Dan Roberts: Why is it important for CISOs to be intentional about ‘telling the story’? If two cyber organizations are delivering the same value to their companies, but one is good at telling the story and the other is not, what difference does it make?

Deneen DeFiore: There’s definitely value in having the ability to tell the story that’s connected to the business outcomes around what you’re trying to do to manage risk. If you have two organizations that are protecting the company and doing what they need to do, the one that’s not able to tell the story is operating at almost a technical level. They’re doing good things and driving good outcomes, but if they’re not able to connect the dots with the business outcomes, they’re going to stay at that level of entitlement. It’s going to be harder for them to say, ‘We need to do XYZ,’ because it’s going to be linked to ‘what cyber security needs to do.’

On the other hand, if you’re creating a value story, such as, ‘We need to go to a more seamless experience for our customers to access our systems,’ then you can talk about a new customer identity platform and moving to a password list and how that’s going to create great customer experiences. You’re going to start adding value at a different level and expanding your scope, as well as moving up the value chain for that organization.

You can be the best technologist with the best execution to the standards that you’ve set, but if no one understands them or understands the importance and why it matters, you’re going to stay there, as opposed to that storytelling organization, which is going to continue to grow and evolve at a much different rate and level.

In the podcast we talked about the plethora of stakeholders you serve both inside and outside the company. Some might have shared interests but different ideas of how to get there. Others might have competing interests. How do you deal with this when it comes to communicating and messaging?

There’s always going to be competing priorities between one organization and another or differences of opinions on how to get there. What I try to do, again, is focus on the outcomes, because if you’re aligned on the outcome, then you can really start to unpack what the issues are around the disconnects. So: If we do this, we’re going to get here. If we do that, we’re probably going to miss. And we all want to be here, right? That’s kind of the way I do it. It’s focusing on what problem we’re trying to solve, creating those shared needs and goals, and getting everybody to understand what the end state is, versus the details of how you’re going to get there.

I also make sure that I’m the facilitator and orchestrator, but it’s not my idea. It’s about getting the people that are not on the same page or may have disconnects in priorities to come up with the solution. I think that’s the key to success as well.

From industry regulations and TSA directives to SEC and cyber regulations, how do you provide clarity in this sea of complexity?

You have to make sure that you’re speaking in a language and terms that people understand, even if you’re trying to talk about complex regulations. I don’t, in normal day-to-day life, talk like a policy document. And I think sometimes when we’re trying to explain that the TSA has this new LSP or something, we just spit these acronyms and technology terms out. It’s really important to make sure that you are paying attention to your tone of voice and word choices. Use common language so you can explain what is happening, why it’s happening, and what we’re going to do about it.

Because if you think about the complexities around the way an event or attack happened or a really complex TSA regulation, no one wants you to regurgitate the low-level details or the policy documents. They want to understand, in summary, what is it? What are we doing about it? Are there like any risks or issues that we need to be concerned about?

The CISOs we surveyed for our CyberLX leadership program told us that one of their big priorities is building leadership skills with a focus on EQ [emotional intelligence], influencing skills, and communication skills. How do you instill that kind of marketing mindset in your leaders and develop these communication muscles in your people?

I don’t like to have meetings before meetings and all that kind of stuff, but for those important presentations or important meetings or discussions where you’re really trying to get people on board, or you need any kind of commitment from someone, I have a preview with my team. We go through the slide deck or the key messages, and I kind of play devil’s advocate and ask, ‘Well, why do I care about that?’ We practice that way, and after we do that a while, they get that and they can do it and we don’t have to have the meeting before the meeting anymore.

Communication is developing that muscle memory as well. There’s always a question you’re trying to answer. There are certain elements of communication where it’s the same components and you have keep that in mind and just know how to do it. So practice is really important.

How do you define the value cybersecurity creates for the business?

I think value can be defined in a couple of ways. It’s making sure that you’re meeting those key responsibilities that you have as a cybersecurity leader — there’s no significant data loss, no downtime or operational disruption associated with a cyber event.

There are those types of things, but there’s also things around, how do you enable the business to do something that they couldn’t do because you’re removing that risk or mitigating that risk, or you’re breaking down a perceived barrier that was there so you can go operate in a market that you weren’t able to before because you have a secure architecture. Or you can collaborate or share data in a manner that’s trusted that you weren’t able to do before. That creates value from a business outcome standpoint.

You have to think about defining value not only in terms of what you’re doing from a cyber perspective, but also what you’re enabling your organization to do from a customer or shareholder value as well.

What are the metrics you focus on?

This is evolving and I’m still working on it with my team, but the operational side of metrics are around the policies and standards that we’re setting, how well are we covering those within the technology services, and then how well are they performing. So it’s a coverage and an effectiveness type of type of view of metrics.

Of course, we want all the external endpoints behind our web application firewall, that coverage metric, but then how many threats are we actually blocking? What are they? And then are they in the application security standard? And why are people still using broken authentication or improper session management or whatever it is — we’re trying to close the loop there and make sure we’re not just saying we’re good because we have a policy, but is it working effectively? And then where it’s not, understanding where our gaps are. It’s that continuous loop. We try to pull that baseline of metrics and KPIs around core capabilities within our cyber program.

It’s probably not a metric you track, but I have to imagine that once you do a good job with the narrative, you’re seen as a strategic partner and start getting invited to the first meeting instead of the fifth meeting.

Definitely. I love it when somebody else is connecting the dots, when they come to me and say, ‘I think we should be thinking about this.’ That’s my measure of success. I’ve done my job.

For more insights from DeFiore on the leadership skills required to be a successful cybersecurity leader, tune in to the Tech Whisperers podcast.