27 Nov Deneen DeFiore: The Accidental Fortune 500 CISO
From biology graduate to cyberspace defender
– Di Freeze, Managing Editor
Northport, N.Y. – Nov. 27, 2020
Deneen DeFiore loves to be challenged, including solving messy problems and doing things that people haven’t done before. That’s a big reason she loves being in the cybersecurity field.
“Every day in cyber is a new world,” she says. “Things change, threats evolve, and you have to run with it.”
DeFiore spent nearly 20 years at GE before moving to United Airlines early this year. Her history should be an inspiration to those thinking about a career in cybersecurity who haven’t necessarily been planning that.
“I don’t have a security background or an IT background,” she said. “I have a degree in biology.”
DeFiore’s intent when she headed for Kent State University was to do something in the medical field.
“I had aspirations to have a career in either health care systems and operations or pharmaceutical operations,” she said. “I always wanted to see if I could improve that system and make an impact on people’s lives.”
Cybercrime Radio: United Airlines CISO on COVID-19
Protecting a remote workforce
While she was in graduate school, DeFiore interned at a health care system that was moving from paper-based records to an electronic medical record system.
“I was on that project,” she said. “Through that experience, I really found that I liked the technology side more than the operations.”
Once she discovered that, she decided that she needed to learn to code.
“I got the books and taught myself how to do it on the side,” she said.
She also took more jobs that would expand her knowledge of technology.
“I had roles that ranged from systems administration, from Windows to Unix, to managing middleware and databases and web applications, to ERP systems,” she said. “Then I just kept learning and learning and learning. I still do.”
She laughs when she thinks about how she got to where she is today.
“I wish I could say that I had a plan and I had this great recipe to follow, but it was again kind of by accident,” she said.
DeFiore became an IT program manager, Service Delivery, for GE in 2001. She held roles as IT team leader, Enterprise Service Management, and IT leader, Database and Application Operations, before becoming CIO, Energy Services, Industrial Services & Motors, of GE Energy.
“I got to be a CIO because I spent the first portion of my career really focusing on learning technology,” she said. “At some point, I realized I wanted to learn how to strategically apply technology to business problems.”
DeFiore says that she was first seriously exposed to cybersecurity in that role.
“We had a few incidents I helped remediate,” she said. “It really opened my eyes to a whole aspect of technology that I didn’t know existed. Making quick decisions with limited information, getting intelligence, and trying to figure out what to do next was really interesting. It also had that technical aspect, which I really liked as well.”
DeFiore served as CIO for two years before becoming executive CISO of the GE Information Security Technology Center in late 2010. She became senior executive global chief information security and technology officer of GE Aviation in 2015, and two years later, took on the role of SVP, global chief information and product security officer.
GE Aviation, a world-leading provider of jet engines, components and integrated systems for commercial and military aircraft, has 55,000 employees and more than 80 sites around the globe. DeFiore said that being with a company that solves some of the world’s biggest challenges meant that they were forced to continually evolve and change.
She described her role with GE Aviation as “securing the business portfolio and securing and protecting and defending its IT systems and networks.”
“It was also about protecting the thousands of operational technology devices used to develop and produce our products, like jet engines,” she said. “I was also responsible for the cyber assurance of our products that we put on planes.”
Cybercrime TV: Women In Cybersecurity
Moving in the right direction, we still have work to do
DeFiore joined United Airlines in January 2020 as VP and CISO. Although crisis management and risk management are key components of what CISOs need to do every day in their jobs, that didn’t prepare DeFiore for the rapid change in the threat landscape due to COVID-19 shortly after joining United.
“This crisis was so much more than anything that’s ever really happened before,” she said. “I don’t know that any company could have prepared for the scale and magnitude of what needed to happen.”
That included “work from home, increased activity from cybercriminals trying to take advantage of the crisis, and an exponential increase in the reliance on digital technologies to interact and enable the customer experience in a safe and efficient way.”
“I’m not going to lie,” DeFiore said. “There were days when I had to remind myself constantly that I had this! I often say you must be an excellent risk manager to be a successful cybersecurity leader. Those were skills I pulled on the most: being able to analyze the issues based on the limited data, laser-focused prioritization, being able to challenge the status quo and make informed decisions quickly, etc. I also have had several ‘make or break’ experiences throughout my career, though no crisis is the same, that have helped me be a better leader in high-stakes situations.”
Even without COVID-19, DeFiore faced the challenge of going from an original equipment manufacturer (OEM)/supplier to an airline, which she said is definitely different.
“There is no frontline or consumer to worry about in my old role,” she said. “The threat landscape is shared but nuanced. With an OEM/supplier, there is a heavy focus on IP protection and insider threat and not a significant focus on financially motivated cybercrimes based on consumer transactions, fraud, etc. I had a great foundation coming from GE, but the airline/operator is where it all comes together in the aviation industry: above the wing and below the wing. Regardless of the pandemic, I needed to make sure I understood what we as an organization were trying to accomplish, listen, build trust and then align to meet those objectives.”
DeFiore believes that one of the most important lessons learned from COVID-19 crisis planning was the need to go back to basics, with so much of the workforce remote every day.
“You had to say, OK, from a basic standpoint, are all the VPNs and portals and gateways secured? Are my endpoint controls working exactly the way they need to be? Have I whitelisted only the applications that in remote sessions need to be accessed remotely? Things like that. The stuff you would have normally just expected to work. You had to step back with a heightened sense of awareness and forget about getting to the next level of maturity.”
DeFiore refers to the aviation sector as a “connected ecosystem where everybody is dependant on one another.
“We all share each other’s risk whether we like it or not,” she said. “Airlines are dependent on airframers and suppliers. They are dependent on the airports. Airlines fly all over the world with different levels of standards and securities in different places. So, approaching the threats and risks in aviation must be done collaboratively and collectively.”
Since 2014, DeFiore has been a board member of the Aviation Information Sharing and Analysis Center (A-ISAC), a nonprofit organization that allows CISOs from different companies to come together and talk about risks and threats, as well as standards, approaches, and best practices.
“We work together to move the needle going forward,” she said. “We are all trying to solve the same problems, so collectively approaching it, building trusted relationships, really helps us get a better level of protection, and we can get further ahead of threats that way. We’re stronger together when we can come together and collectively address cybersecurity issues and threats.”
Developing and retaining talent has always been dear to DeFiore’s heart. It’s even more crucial now.
“The threats are only increasing,” she said. “We want to make sure that our company is protected and we’re around for a long time. The last thing we need right now is a cybersecurity event.”
What DeFiore wants from her team is for them to be able to “connect the dots on their own” without waiting for somebody to tell them what they should do. She’s seen that happen since she’s been at United.
“People have reached out and said I saw this, I think you should know about it,” she said. “I feel good about that.”
DeFiore knows how important it is to invest in continuous learning and upscaling.
“Technology changes at a pace that is immense right now,” she said. “We have to have capable people. Training is a big deal, as well as collaboration and sharing. We win together as a team. Our success is as a team, and knowledge is power. I really make that collaboration and just-in-time learning from a cross-functional team a priority for us, to all be collectively smarter.”
DeFiore also realizes that companies are all competing for the same pool of talent across the industry. She believes it’s important to hire for potential, not “the 97 different domains of cybersecurity that we list on every job description that no one can ever qualify for.”
“We have to start to really take a chance on people and give them the tools and resources to be able to do that,” she said.
DeFiore said that while at GE, they had a lot of success with people from IT or engineering coming over to the cybersecurity team and learning successfully based on their foundation.
“Once you expose people to cybersecurity, and they’re learning what we do, and they’re excited about it, they don’t want to go back to IT,” she said.
She’s a proponent of making sure that the work is something people want to do.
“Every day there is something new,” she said. “You need to always challenge people to raise the bar and actively learn new things. You also have to show people why what they’re doing is important and the value of their work to you and the organization.”
She said that to retain talent, it’s also important to make sure that lines of communication are open.
“You need to create an inclusive and collaborative culture with a team based on trust,” she said. “If you have that, you have that connection with the mission of the organization, and then you have that connection with your team. People will be willing to stay even though they could go to another company and perhaps make more.”
DeFiore said that as a career, cybersecurity has a compelling human factor — to protect, to secure, and to nurture — that women are starting to see.
“It’s something that appeals to them,” she said. “More women are thinking about it now.”
She thinks it’s very important to get young women and girls exposed to cybersecurity, and technology in general. While with GE, she was involved with the Executive Women’s Forum, one of the largest industry associations for women in privacy, security and risk. She also co-led GE Girls, a summer camp that highlighted STEM opportunities and provided education to middle school girls.
“Unfortunately, with all that is going on, I haven’t had the opportunity to get actively involved in our ERGs here at United,” she said. “I have participated in UImpact (the women’s network at United) and the Women in Technology Forum but can’t say I have taken an active leadership role.”
She said it’s important that young girls and women don’t think of cybersecurity as “just sitting behind a computer hacking away at things.”
“You don’t have to wear a hoodie. My thing is designer shoes and handbags,” she laughed. “I don’t even own a hoodie. I want them to understand that the scope is large in cybersecurity. It’s expanding day to day. You have things like application security, but you also have risk management, which is an appealing career to women too. Give it a chance. There’s a lot of transferrable skills that come into play. You don’t have to be a hacker to be in cybersecurity.”
DeFiore thinks back on her experiences in the field and says she doesn’t think there’s a limitation or a set formula around how to be successful in cybersecurity.
“I know a lot of people that have different backgrounds and experiences and they’re very successful,” she said. “I think that’s one of the things that make the field and make a team so interesting and successful — when you do have those diverse backgrounds and ways of thinking and ways to approach a problem. You get way better outcomes when you all come with different experiences.”
With so many people still stuck at home, possibly thinking about a future career, DeFiore has a great idea.
“Now is a great time for people to go online and learn,” she said. “A lot of great companies, cyber training companies and technology companies, are offering free courses online. I would definitely encourage people to take advantage of that.”
– Di Freeze is Managing Editor at Cybersecurity Ventures.