Devon Bryan. PHOTO: Cybercrime Magazine.

CISO Report: Cybersecurity Captain Navigates Choppy Waters

Interview with Carnival Cruise Line’s Devon Bryan

David Braue

Melbourne, Australia – Jul. 15, 2022

The CISO Report is sponsored by KnowBe4.

Few industries suffered as comprehensively during the Covid 19 pandemic as cruise liners, whose services were summarily suspended in Mar. 2020 and stayed that way for well over a year before resumption of limited services under strict infection-control protocols.

Steering through turbulent waters has been a massive effort for captains of the cyber seas. But it’s all in a day’s work for Devon Bryan, who joined Carnival Cruise Line as global chief information security officer in Oct. 2021 and since then has been working hard to expand a more consistent, effective cybersecurity culture and technical controls across the company’s nine brands.

It’s no small task given inevitable tension between available resources and the relative effectiveness of various possible cybersecurity investments. But “we are getting better,” Bryan, a self-professed optimist, told Cybersecurity Magazine.

“Cybercrime will continue to explore and bad actors will continue to find new, more innovative, sophisticated, and stealthy ways to ply their trade,” he explained.

“We think about all the crimes that have been perpetrated for centuries in the physical world, and that’s what we are experiencing right now in the cyber world.”

In a global organization that operates more than 95 “floating cities” whose thousands of employees are in a constant state of operational flux, maintaining consistent and effective cybersecurity across both information technology (IT) and operational technology (OT) realms is an ever-changing challenge for Bryan and his team.

Improving support from government bodies is helping, at least, by raising awareness and boosting the speed and efficacy of information sharing.

“We’ve seen a dramatic shift in the amount of useful information that we’re getting,” Bryan explained, “not just from DHS and intelligence agencies but also from our threat-intel vendors, and our CISO peers.”

“There’s no easy solution for ransomware, but there are certain things that as defenders we have to continue to do to make it a little bit more difficult for those bad actors who will seek to exploit this particular vector to cause us harm.”

Ever-improving technology, particularly in recent years, is helping protect companies that invest in the right way, he said — although he warned that “there’s a lot more art to it than science.”

“There’s no single cyber investment that you will make that will guarantee protection,” he continued, “and we cannot guarantee that our budgetary spend each year will protect the company — but we do the best we can in making very intentional decisions about how our investments will materially reduce risks of our companies.”

“And I’m encouraged by some of the technology innovation that is increasingly being brought to bear as a force multiplier to help cyber defenders keep our companies, our communities, our cities, and our citizens safe.”

Crewing the cybersecurity ship

For all the technological innovation in the market, however, Bryan concedes that finding the staff to implement it remains a major challenge — even in an industry where ready access to cruises brings the possibilities for employee perks to a whole new level.

Attracting talent “has to be a pressing priority” for every CISO, Bryan said — and that may mean looking to non-traditional recruitment channels given industry’s ongoing challenges filling a cybersecurity skills gap that is expected to see 3.5 million job openings in 2025.

“Colleges and universities will continue to try to address the pipelining problem as much as possible,” he explained, “but as practitioners we know that’s not going to be enough.”

“We cannot hire fast enough to fill, especially, the higher end, more technical jobs that we need to be successful — so we have to be very broad and wide in the pipelines that we’re trying to create to help fill vacancies within our companies.”

“Not all cybersecurity jobs and specialties require a very technical degree,” Bryan said, “so we have to look to alternate sources of recruiting and pipelining talent.”

As well as turning to the IT department for potential new cyber hires, this might mean recruiting from the corporate communications department, or graphic department — or reaching out to military veterans with “very tangible, very traceable skills that translate very well… into what we have to do as defenders in cyberspace.”

Retaining staff is equally important — and even the promise of higher salaries or free cruises as incentives isn’t enough on its own, Bryan said, to make sure that the most enthusiastic, engaged employees stay in their roles.

“Once we get this wicked, awesome talent on board, we have to be very deliberate in how we create retention programs for these practitioners,” he explained. “We cannot just expect folks to stay because they love the organization.”

“You’ve got to sell folks on the mission, make sure they are being valued, and give them opportunities to stretch themselves with interesting projects. You’ve got to give them opportunities to develop where they want to develop, and not just where you want them to develop.”

“We make sure they feel valued, that their contributions matter, that they’re part of something larger than themselves. And then we just give them wings and watch them fly.”

– David Braue is an award-winning technology writer based in Melbourne, Australia.

Go here to read all of David’s Cybercrime Magazine articles.

Sponsored by KnowBe4

KnowBe4 is the provider of the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. We help you address the human element of security by raising awareness about ransomware, CEO fraud and other social engineering tactics through a new-school approach to awareness training on security. Tens of thousands of organizations like yours rely on us to mobilize your end users as your last line of defense.