30 Jan Global CISO of Delta Airlines on Biometric Terminals and Women in Cybersecurity
Ask The CISO: Cybersecurity Q&A with Debbie Wheeler, CISO at Delta Airlines Sponsored by Fortinet
– Georgia Reid, Deputy Editor and Podcast Host
Northport, N.Y. – Jan. 30, 2019
Debbie Wheeler is the chief information security officer (CISO) at Delta Airlines. Her previous positions include CISO at Freddie Mac, global CISO at Ally Financial, Inc., and CISO at Fifth Third Bank. She has also held senior information security roles at JPMorgan Chase & Co., Bank One, PNC Bank, and Allegheny Health.
I had the privilege of interviewing Wheeler on January 16th in Atlanta, Ga. We discussed her career, the talent shortage, women in cybersecurity, and the first ever biometric terminal in the United States, which Delta recently installed at Hartsfield-Jackson International.
Read below for some highlights from our discussion, and watch the video to hear the full interview.
GR: Thanks so much for coming down here today. We’re in Atlanta today for the FutureCon event. You are the CISO for one of the biggest companies in America, let alone Atlanta, Delta Airlines. How long have you been there?
DW: Almost two years.
ON A CAREER IN INFORMATION SECURITY:
GR: I just wanted to hear a little bit about yourself to start us off, your background as a woman in cyber, and now the CISO at Delta. How did you get interested in and involved in this area of work as cybersecurity expert?
DW: I’ve been in technology all my career. I started in telecommunications. I was a network engineer for a company called MCI. One day my boss came to me and under that “other duties as assigned” clause of my job description, asked me if I’d be interested in taking on a project to tackle viruses. At that time, viruses were something that dumped all your words in your Word document to the bottom of the screen or caused your spreadsheet to not calculate properly, so very different than what we’re dealing with today. I did that project and soon any type of a security-related project was coming to my doorstep. That’s how I wound up in the field.
GR: What aspects of it interested you the most?
DW: I think a couple of things. First, the mentality or the psychology of why people want to do bad things.
GR: That is interesting. The crime aspect.
DW: Absolutely. And then the problem-solving aspect of it.
GR: When you’re at an airline such as Delta, how different or similar is it to working in healthcare and finance? What are some of the similar challenges versus different challenges that you face as a CISO?
DW: I think there’s probably more similarities than differences. I think regardless of the industry, if you’re working in technology, we all experience the same challenges and problems. It’s certainly true in the security space. There is no shortage of bad guys trying to do bad things with technology. While the attacks might differ by industry, the outcomes are usually the same. There are financial gain aspects, espionage aspects, and just pure chaos.
ON CYBERSECURITY TALENT AND RECRUITING:
GR: How do you go about finding the best people and the best workforce to help you with that task?
DW: I’m fortunate to work for a great company. The Delta brand brings a lot of people to our door that might not otherwise show up. We’ve got a phenomenal culture at Delta. People that want to experience that culture — it’s a very employee centric culture — will put their resume into our hands. We find a lot of folks that are just really, really wanting to work in that environment coming forward.
Having been in the industry for as long as I have, I’ve had the opportunity to work for a lot of great companies and see a lot of great talent. As I’ve moved to various positions, I’ve brought people with me. I’ve been able to build a team by bringing people with me who I’ve worked with in the past.
Then I think, too, as a result of our environment and Delta being 80,000 strong, it’s very much a family environment. We get a lot of internal referrals, so a lot of people that have passion for Delta and are very dedicated to the company and serving our customers connect with and know other people that share a similar passion and will refer them to us. We’ve made some great hirers as a result of that.
GR: So, there are 80,000 employees at Delta . . . Do you know how many are on the cybersecurity team?
DW: We’ve got about 60 FTE and then we’re supported by a great group of contractors and a couple of manu-service contracts.
GR: That’s huge.
DW: It is, but we also have the advantage of 80,000 family members who are as dedicated to protecting our customers as we are.
ON TRAINING EMPLOYEES AT DELTA:
GR: So, you train them meticulously on inside threat and phishing scams and things like that. How do you go about doing that? Do you have creative ways that you could share with other CISOs?
DW: I’m sure we do a lot of the same things other security organizations do. We do the phishing campaigns, but we also bring in guest speakers on a quarterly basis, so we have a lot of folks who have come in and have talked about various topics in information security. We’ve had the FBI come in and make everybody a hacker for the day, teach them how to conduct phishing campaigns, and what the value and the benefit is for the threat actor. It gives them a different perspective and it helps them understand not just how to protect themselves, which we want them to walk away with, but how to protect the company, and it gives them a view into the mindset of why some threat actors do what they do.
GR: I want to just get you on the record giving someone advice about going into this career. If they’re looking for advice, what would Debbie Wheeler say about this career?
DW: Go for it! Absolutely go for it. It’s fascinating. There are challenges every day, opportunities every day, and you get to do good.
ON THE INTERNET OF THINGS:
GR: Yes, that’s true. We do need more cybersecurity workers. Speaking of cybersecurity risks and threat actors, what is one area that you can speak to that you’re particularly concerned about in general at work but also outside of work for the general consumer?
DW: I think what I worry about in my personal life is the Internet of Things and how many things we’re building technology and Wi-Fi capability into. I don’t think that we have a full appreciation yet for the risks that we are introducing. A lot of people don’t have the advantage of having someone in their family or knowing somebody that is in the cybersecurity field that can help guide them or they may not have access to some of the information or the journals that we all read and have access to. So, they blindly implement these technologies thinking everything is fine and they wind up realizing that it’s not. I worry about that. I worry about it for my kids. I worry about it for members of my family. That’s probably the one thing that keeps me awake at night.
ON SMART TECHNOLOGY IN AIRPORTS:
GR: I hear a lot of buzz about smart airports and smart travel involving the Internet of Things, whether it’s like a luggage tracking device or anything that has to do with Internet of Things in the airport. Are there any technologies coming out that you’re particularly interested in when it comes to that?
DW: Recently Delta made the announcement that we’ve implemented the first biometric terminal in the United States. When you travel internationally through Hartsfield-Jackson Airport, you will encounter a completely biometric terminal, from curbside to the gate. You can use facial recognition to check in without fumbling around for your passport or your driver’s license. Then obviously we have a partnership with CLEAR. Again, you can utilize biometrics to speed your process through the security line. You brought up bag tracking — RFID tracking of luggage from curbside check-in or the counter check-in, all the way to destination. It’s a great feature that our customers really love.
GR: That’s a lot of progress. Not only is it going to be easier for the customer to use the facial recognition, the biometrics, would you say it’s more secure?
DW: I would. We obviously do a lot of vetting of the companies that we work with. In the case of facial recognition, yes, there are partners, and there’s always the risks — we have risks, partners have risks — but I think we’re all very cognizant of what’s involved here, and we’re doing a lot to evaluate and ensure the security of the data that is being passed.
ON VENDOR RELATIONSHIPS AS A CISO:
GR: That sounds like an exciting initiative. I know a lot of smaller companies out there who are doing incredible things with new and innovative products, but they just can’t seem to get to talk to CISOs. What advice would you give them? What is it like being a CISO with all of these different vendors out there to choose from and how has this changed over the course of your career?
DW: When I first started in the field, there were maybe two dozen vendors that focused on any sort of product on security. Today there is over 3,500.
GR: That’s a lot.
DW: It’s ridiculous. Everybody thinks they have the silver bullet. Security budgets while they are growing are not infinite. When I look at a product, I need to ensure that it’s going to cover a multitude of concerns that I have. It can’t just be a point solution. There are just too many vendors with point solutions out there and while they may be really innovative and although they may be really great technology, it’s kind of going to be a flash in the pan in a year or two.
I’m looking for technologies that allow me to address a broad array of threats and concerns that we have and integrate with other base products that we have in the environment. So, I tend not to engage with a lot of point solution vendors, because I’m looking more for the platform that I’m building capability on, or a tool that will do a multitude of things, or that can replace a multitude of point solutions that I may have in my environment.
GR: Possibly MSSPs.
DW: In some instances. We’ve looked at managed services where we know that managed service can bring either the skill set to the table that we’re having difficulty finding or is going to be a complement to skills that I already have on my team.
As an example, we have a SOC, an internal security operation center, but we also leverage an external provider for off hours, weekend and holiday coverage. They also have some capabilities that we don’t have internally. It’s more cost effective for them to have it than it is for us, things like the education and the schooling and the training programs, they put their people through. For us to try and replicate that would not be cost-effective, but we benefit tremendously from leveraging their resources and their programs.
ON NEW TECHNOLOGY AT DELTA:
GR: Is there anything else that you’re working on with Delta that you’re particularly excited about new technology wise.
DW: We’re in the process of going through a digital transformation, so we do a lot of work with Georgia Tech, which is where we happen to be today, through a collaboration called The Hangar. That’s our innovation lab. Being that we’re part of this digital transformation, we’re bringing a lot of technology into Delta. Security is a big part of that, so we get to be a part of that innovation, looking at the new technology and helping the organization make a determination about where it’s appropriate and where it might not be.
GR: What are some of the key security focus areas for you to 2019?
DW: Like a lot of CISOs, we’re focused on operational technology. I think that’s coming up more and more at the conferences I’ve been attending over the course of the last two-year period. We’re very focused on our OT footprint. We’re continuing to monitor the integration of things into our network and tracking how we secure those. We’re always going to be very, very conscientious about third-party risks and vendor risks and insider threat management and monitoring. Those are just table stakes and we’re very, very committed to those things, but I think if you look at new innovation, new technology, and where we’re looking to get more involved, blockchain is certainly something that’s coming onto the scene in the security space. We’ve been working with partners who better understand how blockchain can really help the airline but help security as well.
GR: Is there anything you could say about blockchain?
DW: I think it’s early stages. We’re waiting to see how it evolves and where it goes. There’s a lot being done with blockchain in terms of identity management. We’ve been monitoring that. We’re certainly not at a point where we would be implementing anything that would leverage it, at least not in the security space, but we are monitoring it very carefully.
GR: I’m really curious to see what comes of this in the next year or two.
DW: I am too.
ON WOMEN IN CYBERSECURITY:
GR: Briefly, I wanted to switch gears and talk to you, Debbie, about being a woman in cyber. We have a group on LinkedIn dedicated to helping women get advice — career advice, professional and personal advice — in the cybersecurity workforce. As a woman in cyber, what would you say to other girls or women who are listening and want to know what it’s like to work in cybersecurity and is this a place for them?
DW: There are a couple of things I’d like to say. First, go for it. Don’t let anybody tell you that you can’t do it. Don’t let anyone tell you that you need a certain background to be successful. My team is partnering right now with a high school that has a work study program here in Atlanta, so we have a team of four school students that join my department every day. They work alongside my team. Three of those young people are young girls. When they came into our environment back in the August timeframe, none of them were looking actively at technology, let alone cybersecurity, as a potential career field. We now have all three of them very interested in what we’re doing. All three of them have been exposed to a variety of aspects of cyber, so you see, you don’t necessarily need a math background or a computer science background to be successful. You just need to bring a really good work ethic and a passion for what you do. If you can bring those two things to the table, the rest is easy to learn.
GR: That’s great. Thank you so much for coming down today, Debbie. Is there anything that you’d like to say or leave off with to our listeners.
DW: Support young women who want to pursue technology careers. And to the CISOs out there, we’re all in this together, so the more information sharing and collaboration we can do, the more successful we will all be.
– Georgia Reid is Deputy Editor and Podcast Host for Cybercrime Magazine.
Debbie Wheeler is the Chief Information Security Officer at Delta Airlines.
SPONSORED BY FORTINET
From the start, the Fortinet vision has been to deliver broad, truly integrated, high-performance security across the IT infrastructure.
We provide top-rated network and content security, as well as secure access products that share intelligence and work together to form a cooperative fabric. Our unique security fabric combines Security Processors, an intuitive operating system, and applied threat intelligence to give you proven security, exceptional performance, and better visibility and control–while providing easier administration.
Our flagship enterprise firewall platform, FortiGate, is available in a wide range of sizes and form factors to fit any environment and provides a broad array of next-generation security and networking functions.
The Fortinet corporate brochure explains how we deliver comprehensive network, endpoint, application, and access security.
Learn more at Fortinet.com.