We Want to Hire Honest People Who Think Like Criminals

What game should we play where we can trust you to behave fairly, but at the same time see how you could take advantage of us?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Deneen DeFiore (@deneendefiore), CISO, United Airlines.

Got feedback? Join the conversation on LinkedIn.

Thanks to this week’s podcast sponsor, Code42

As organizations gradually and cautiously move out of adapt out of adapt-or-die mode into the post-pandemic era, we can expect a second phase of digital transformation: resilience building. This presents an opportunity for security teams. An opportunity to re-imagine data security. More from Code42.

Full Transcript

Voiceover

Ten second security tip, go.

Deneen DeFiore

When you’re considering developing a bug bounty program, make it unique and relatable to your business, or industry. For me, at United Airlines, we pay out our rewards in miles, so, that gives us a pretty unique competitive advantage there.

Voiceover

It’s time to begin the CISO Security Vendor Relationship Podcast.

David Spark

Welcome to the CISO Security Vendor Relationship Podcast. My name is David Spark, I am the producer of the CISO series. Joining me, most regularly, is Mike Johnson. Mike, let’s hear it, the sound of your voice.

Mike Johnson

I’m here, I’m here to share with all of y’all in our audience today and have a great conversation.

David Spark

“All of y’all.”

Mike Johnson

All of y’all.

David Spark

We were talking about that. I want to hear from our listeners if you hear Mike saying, “y’all,” because I didn’t think I’ve heard it ever and I thought I heard it for the first time.

Mike Johnson

But remember, David, it’s “yall”, it’s not y’all. You’re adding too many syllables. One syllable.

David Spark

You all, y’all, whatever. Any version of it. Actually, you know what? We have transcripts now. I can go back and see if they’ve put y’all in there.

Mike Johnson

I’m very curious to hear if y’all gets transcripted.

David Spark

If it’s y’all, or just yall.

Mike Johnson

Yes.

David Spark

Our sponsor for today is Code42 and Code42 has been a phenomenal sponsor of our podcasts and video chats and everything. They’ve been all over the place. Fantastic. I do want to bring up one thing that I just learned very recently and it’s about my father-in-law, which I’ve mentioned on the show. He was a magician, he was also a musician, wrote some song, but he made his money in publishing. But here’s something kind of cool I’ve discovered about him. He made the Guinness Book of World Records for, get ready for this, the world’s smallest royalty check.

Mike Johnson

Okay. There’s a Guinness Record for everything.

David Spark

So, supposedly, this is according to my wife and then we looked at something on his business’ website, which is still running. Story is, that he wrote a song called San Antonio, which we actually found the song San Antonio. It’s not a bad song, it’s a good song.

Mike Johnson

Yes, okay.

David Spark

Just mentions San Antonio. You would think, if you write a song for a city, they’ll reuse it for a civic pride kind of a thing. Supposedly. The guys who recorded it sounded really good too. He had a friend who worked at Guinness and he goes, hey, you know what, I have a really small royalty check, possibly, I could make it into Guinness for the world’s smallest royalty check. Lo and behold, he did and it was specifically in the 1980 book of Guinness World Records. So, I went onto the old Internet, found myself a copy of the 1980 version and they have a photo of his royalty check. If anyone listening actually has a 1980 Guinness, you can find it on page, I think, 159 and it says, Mel Powers, my father-in-law, world’s record for smallest royalty check for his song San Antonio.

Mike Johnson

Now I have to know what the royalty was.

David Spark

Oh, four cents. Oh, I’m sorry, I thought I mentioned it. Yes, four cents.

Mike Johnson

Hey, that’s more than I have ever made off of royalties.

David Spark

For a song?

Mike Johnson

Yes, yes.

David Spark

I will say, universally, your song stinks.

Mike Johnson

I appreciate your support, David.

David Spark

This is like when I asked you if you think I would make a good CISO and, without literally missing a beat, I could barely finish the question and you said no, there’s no way.

Mike Johnson

Yes, no, that’s fair. Came back to roost.

David Spark

Yes. Alright. Let’s bring in our guest. I’m very excited to have her. Been a long time trying to get her on the show. I also learned how to pronounce her last name, which was pretty awesome too. It is the CISO for United Airlinea, Deneen DeFiore.

Deneen DeFiore

Correct.

David Spark

Deneen, thank you so much for joining us.

Deneen DeFiore

Great, I’m happy to be here.

If you haven’t made this mistake, you’re not in security.

00:03:53:20

David Spark

Eric Cole at Secure Anchor Security said, “At the beginning of my career, I was actually told to say no to projects due to security issues so that the IT department could save their money in resources.” He went on to say, “This is not the way to operate security.” Today, for which we’ve discussed at great length on the show, Cole went on to talk about security’s role in a business meeting. “Most of the time, the best security employees you have will only be focused on security,” and Wib Gridley said, “This is an issue of maturity. You start by saying no, then, over time, you grudgingly accept but claim, it’s all their fault, if something goes wrong, because we warned you.” But then, at the highest level of maturity, you embrace the business idea and think how security can adapt to make it happen. So, Mike, does becoming a business-minded security person take time and, if so, who do you want in product meetings?

Mike Johnson

I do think, for most security folks, it does take time to become business-minded.

David Spark

Would you say this maturity model they describe here describes what you went through?

Mike Johnson

I don’t know that I necessarily followed the same curve, but I think everyone has a different journey in security when it comes to that.

David Spark

Did you have a no pattern? I want to know, did you have a moment of no?

Mike Johnson

Oh, sure.

David Spark

Okay. Alright, so you started at the beginning.

Mike Johnson

But, I don’t know if I had that middle part.

David Spark

Oh, you just went no to acceptance?

Mike Johnson

Yes. Totally, no to risk acceptance has been my journey. But I think it’s one of those that, it’s not taught to us as we’re learning security, especially these days, there’s formal training around security. Be it an undergraduate program, or some boot camps, or what have you. That training does walk you through the business sides of things. It’s trying to turn you into an expert in security. For me, I have learned by watching others. I’ve had to learn by people who’ve been further in their careers and how they’ve handled it, what they’ve been doing and watching and learning from them. Sometimes by, you touch the stove and you very quickly get a, no, that’s not going to work kind of response. You learn from that. I think it’s something that really takes most folks time to learn and it really is generally coming from experience.

David Spark

Alright, Deneen is nodding her head right now. I’m going to toss this to you. Deneen, do you feel you went through this pattern, or you were business-minded from day one?

Deneen DeFiore

I started from a different point. To give a little bit of context, I think some CISOs are security leaders, they do cybersecurity in different industries. So, they go from one job in cybersecurity to another industry in cybersecurity to another industry. My path was a little bit different. I have, I’ll say, a deep affinity and expertise for the aviation industry; so, I really understood what we were trying to achieve when I was at GE Aviation and now at United Airlines. I think it’s just that people start from a different place. If you have that deep knowledge of your industry, or business objectives, I think it’s easier to get there. In an airline, it’s all about getting people to where they need to be on time and, of course, in a safe manner and nothing else really matters there. So, that’s how I always thought about how I had to run my team and run my program versus solving all technology issues.

David Spark

I’ve got to assume that, doing security in an airline really requires what you said, a true understanding and appreciation for the specific concerns of aviation. How much is necessary? Would you be more interested with someone like you and teaching them security, versus, someone who’s just a security pro and then, now I’ve got to teach him the aviation industry?

Deneen DeFiore

Well, I think it depends. There are certain parts of the business. There are the roles that center around aviation cybersecurity and I’ve found a great success in looking at folks that came up in aerospace engineering, or mechanical engineering, or supply chain and overlaying the cyber pieces there. Because, they know safety and risk management and how to do that and cybersecurity is very attuned to those methodologies and those ways of thinking. But we also have huge loyalty programs, a big consumer facing part of the business. We manage millions of credit card transactions and financial transactions.

David Spark

There’s a lot more to the security than just flying?

Deneen DeFiore

Yes. So, those specific roles, yes, I would love to have folks that are grounded in the aviation industry, but there’s also a ton of transferable skills if we’re looking on the enterprise side, or in security operations, or AppSec or things like that. It varies and we can definitely use anyone we can right now in cybersecurity, because there’s very much a skill shortage right now.

David Spark

I get to that question at the end of the show. Hang tight.

Are we having communication issues?

00:09:03:11

David Spark

What could a potential hirer do to get through to you? I’m talking about you, Deneen and Mike. Over on the cybersecurity subreddit, I saw yet another post about a struggling young and inexperienced security professional looking to break in with an entry level job. They have a certification and they’re using the spray and pray method of 100 plus résumés out to companies. When you’re green, you know no-one, so, the networking option is probably not that viable. Deneen, what would it take for someone like that, someone completely green, to just get your attention? Or, maybe they don’t need to specifically get your attention, get some hiring manager’s attention in security? Also, what would be a great entry level hire?

Deneen DeFiore

Showing your skills in practice, if it’s a “capture the flag” competition, or a demo that you put together, or you put yourself out there at a conference or something like that, or a white paper that you write. I think when you actually show the application of your knowledge, because certifications and degrees and everything, yes, those are all qualifications, but do you know how to apply whatever skills, or knowledge that you gained in whatever capacity, in practice? That’s really what gets my attention and I know my leader’s attentions too.

David Spark

I’m going to come back and ask another question about approach. Mike, we’ve discussed this entry- level issue, and, by the way, it is amazing how often this comes up, there seems to be a glut of entry level people desperate to get into the industry.

Mike Johnson

There are and they’re coming from a few different places. One, there’s headline after headline of salaries in the security field and people would like that.

David Spark

All of a sudden it becomes more attractive.

Mike Johnson

It becomes more attractive from that perspective. For some folks, it’s always been a passion and they just haven’t had the right opportunities, or maybe their lives took a turn that it wasn’t an option for them. So, they’re looking to make that change. It is a very popular field and I hope it stays that way. I would actually rather be in a popular field than an unpopular one. I think we’ll continue to see the folks trying to get their start and trying to come in from an entry level. One of the things I’ll say is, I do want to challenge you a little bit on the networking option. I do think, even if you know no-one, it is an option.

David Spark

Yes, I don’t want to strike it out but it’s one of those things, you and I have huge, deep networks, that we can just go to. Right out of college, it’s not the same thing.

Mike Johnson

I agree with you, but you have to put in the work and you can build a network. Deneen mentioned presenting at conferences. That’s a great opportunity. Even attending conferences, or attending classes, participating in webforms, like Reddit. If you’re actually active in these places, you will build a network. It will take you some time, it’ll take you some work, but you will get to know people and you will get to meet people and those opportunities will arise as you get out there more, as your network continues to expand.

David Spark

I will throw this out to any green people looking to get in and we get a lot of them. Come join our CISO series video chats every Friday. That is a great chance to connect with the community. We have an awesome community on Fridays and there is a chance to have one on ones with people at the end. Last question and I’ll just get quick answers from both of you. Is there anything that you, or security leaders can do to make yourself look more approachable, and this is the key thing, to anyone? When I say anyone, I’m reaching out in the hope of getting people of different and diverse backgrounds to come to you. Is there any way you can do that, to project that, assuming that you want to. Deneen?

Deneen DeFiore

Yes, absolutely. First from the background and capability standpoint, I let everybody know, I do not have an engineering or computer science degree, I have a degree in biology. I fell into cybersecurity and I just wanted to learn about it. I couldn’t get out either. If I was able to start that way and get to where I am today and learn everything that I did, anybody could really do it. I always make sure that that happens.

David Spark

You point out, “If I can do it, anybody can do it.” That’s a good opening.

Deneen DeFiore

Yes, absolutely. On the inclusion standpoint too, I make it an absolute point and so does anybody who works for me and hopefully the organization that I work for, we have a saying here at United, that we just came up with, and it’s, “Inclusion propels innovation.” You’ve got to have different experiences, different ways of thinking, different people of backgrounds and all aspects of diversity to get the best outcome and I always love to be the best. That’s how I approach it with folks.

David Spark

We agree. Mike, quick, how do you make yourself approachable? By the way, for those of you who don’t know what Mike looks like, not so approachable.

Mike Johnson

For me, I like to ask questions that I know other people have and they just feel embarrassed to ask and ask them in a public forum and basically admit, I don’t know everything. If you’re out there and you’re making it very clear that you don’t know everything and you’re willing to learn and you’re offering yourself as an example, then that makes you more approachable. It makes you feel like, hey, we’re at the same level. I want people to feel like they can approach me and we can have a conversation about anything.

David Spark

Good answer. By the way, if listeners are not currently following Mike Johnson on LinkedIn, I highly recommend it, because that is your forum of choice.

Mark Wojtasiak

In the world of insider risk, a vast majority of risk posed by employees is accidental, or negligent in nature.

Sponsor – Code42

00:15:29:02

Male Voiceover

This is Mark Wojtasiak, Vice-President of Research and Strategy at Code42, a company that specializes in insider risk, explaining why and how they came up with their new education product called Instructor.

Mark Wojtasiak

Security teams, we all know, are drowning in activities and alerts and things like that and they don’t necessarily have the time to respond to each and every possible accidental, or negligent employee behavior. So, training is a big pillar of our approach to insider risk management. We think about it in the three T’s, transparency, technology and training. Training and education is a great way to help companies improve their insider risk posture. So, naturally, we added Instructor to our portfolio of products as a way for security teams to respond to that accidental, or negligent data leak. With timely education, with the right sized education, over time, you’re going to see employees act more responsibly, factor risk into their decision-making. Is this safe? Is what I’m doing with this corporate data safe? Maybe I should double-check what corporate policy is around sharing or sending information. Instructor was in direct response to helping security teams improve their insider risk posture, without taking up a lot of their time.

Male Voiceover

For more information, visit code42.com/instructor.

It’s time to play, “What’s Worse?”

00:16:59:18

David Spark

Alright, Deneen, do you know how this game is played?

Deneen DeFiore

Well, I listened before.

David Spark

You get the idea. It’s two horrible situations and you have to pick which is worse. It’s a risk management exercise. I make Mike answer first. I always like it when my guests disagree. As I always say, no pressure, but I always when they screw with Mike. This one, I think, you might have two answers. There will be the answer that you want and the answer you think your company wants to hear. Okay?

Mike Johnson

Oh, great. There’s one that gets me fired. I just need to figure out which one that is.

David Spark

Listen to this. This comes from another CISO, Rebecca Harness, who’s the CISO of Saint Louis University. We just had her on Defense in Depth, talking about preventing ransomware. She was excellent. Here we go. What’s worse? You get the flood of unsolicited bulk commercial email targeting you and you open and look at each one of them; or, you get nothing and you miss that diamond in the rough, niche vendor that actually does have a good solution to a problem you’re having right now? Mike, which one’s worse?

Mike Johnson

I guess I’m trying to reconstruct what’s happening here.

David Spark

The idea is, you get the flood of emails and you ultimately would hopefully find the solution, but you have to deal with the flood of emails, it is part of your life to deal with vendor emails. The other option, you get nothing and that one solution that you really need right now, you don’t. You’re either dealing with a horrible security problem that you can’t solve, or you’re dealing with the irritation of non-stop marketing emails.

Mike Johnson

Amongst my peers, I evidently have a very high tolerance for that irritation.

David Spark

You used to not, I don’t think. Did you?

Mike Johnson

Well, people change.

David Spark

They do.

Mike Johnson

I don’t really get so bothered by them. I have a delete key, it works really well and I am not afraid to use it. I think that really allows me to deal with those inbound messages. It’s like, I’m not interested, just going to delete it and move on. For me, this one’s actually pretty easy. I would hate to miss that solution to the problem that I have right now.

David Spark

So, bring on the flood?

Mike Johnson

It’s going to happen one way or the other, it doesn’t really matter.

David Spark

Well, the idea of the second option, you don’t get it at all. You have the world’s greatest spam filter that takes it all out.

Mike Johnson

I think, if that spam filter existed, that person would make a lot of money on selling their spam filter, versus selling their emails.

David Spark

Alright. Deneen, I throw this to you. Do you agree, or disagree? Are you okay with getting the flood of vendor marketing emails, just so you can catch that one? Or, no, forget it, I’m not going to deal with this?

Deneen DeFiore

I’m going to have to agree with Mike here. I don’t mind the solicitations. Some of them are kind of over the top and, again, it’s just like, whoa, delete.

David Spark

We’ve quoted many of them on this show.

Deneen DeFiore

Yes. I always think it’s really interesting to see the concepts that people and new companies are coming up with and have those conversations, even if nothing comes out of them. I think it’s part of being a security leader. Our industry is so technology focused, everybody has a tool to solve every problem. Unless you’re actively vetting what’s going on, you’re going to miss that niche solution.

David Spark

Keeping your eyes open. This is something we’ve talked about on this show before. God willing, there will be a day where we’re all going back to conferencing again and it’s going to the edges of the floor, to see that new company you’ve never heard of. That’s the most fun part of it. Although you’re seeing the big vendors that you know plenty about and they’re probably releasing something new they’d like you to hear about, regardless, we end up going to the edges. I’m with both of you and they’re nodding their heads on that.

Walk a mile in this CISO’s shoes.

00:21:15:05

David Spark

Mike, Deneen, how do you justify your budget? In a 2018 report by Kaspersky entitled, “What it takes to be a CISO,” here are some top answers to the question, “Without a clear ROI, how do you justify your budget?” The top four answers were, in order: cybersecurity breaches report; evaluation of the damage done to the company by past attacks; mandatory regulations; and vulnerability assessments. First, I’m going to start with you, Mike. Are you able to do any budgeting around ROI and, if not, do you prioritize your requests for budgets similarly, or is it based on something else?

Mike Johnson

I seem to be some weird purist around the concept of ROI. The idea that, if I spend a dollar, I’m able to show how many dollars, or cents of value I get back from that. I think it’s really hard to do that with security across the board.

David Spark

Are there elements of security you can do that with?

Mike Johnson

Yes.

David Spark

Like what?

Mike Johnson

At first, I was thinking about this answer and read this article and came up with my list of how I was thinking about it. The more that I think about it, I’m mostly in agreement with what they’re talking about. You want to look at your past attacks. What is happening? What did you learn from them? When you have an attack, you need to make sure that you’re not just putting a Band-Aid on that exact vector, but that you’re looking at problems more holistically. How can I solve this bigger? How can I make sure that nothing like that happens again? Not just that. So, I do think that’s an area where you can sometimes say, hey, this incident that happened cost us x amount of dollars, I need to prevent that and I need to spend y amount of dollars to do that and it’s actually a pretty easy justification, quite often, to be able to do that.

David Spark

I would think compliance is an easy thing. If a fine is x dollars and it cost us x minus so many dollars to purchase a product to avoid this x dollar fine, that would be a simple justification right there.

Mike Johnson

I look at compliance, from that perspective, in two different buckets. One is regulatory requirements, so that is, I will get fined if I don’t do this. The other is, for me, I’m in the B to B world. My customers are businesses. They have requirements that they place upon us and, oftentimes, the way that they’re doing that is a generic framework. You need to be SOC 2 compliant, you need to be PCI compliant, what have you. That then is a way for them to relate their customer requirements, that I’m then able to turn around into, well, this is the spend that we need to do. So, it’s not necessarily that I’m spending the money just to be SOC 2, because I think that’s cool, it’s because there’s customer requirements associated with that and there are often customer requirements that are not directly tied to a compliance framework. “I need this feature, I need this capability, otherwise, I’m not going to do business with you,” and you can start mapping that to actual dollars.

David Spark

I’m throwing this one to you, Deneen. Looking at the list that they did, I want to ask, is there ever an ROI decision made and do you follow the same pattern to justify your budget as well?

Deneen DeFiore

I do similar to what Mike describes. To be a responsible security leader, it’s hard to quantify the outcomes for driving by the security technology investments that we’re making and even investments in people, because that’s the other thing that we have to do. You need more headcount. Why do you need more headcount? It’s because the tools and technologies don’t solve everything, it’s the people that analyze and use the data, the really smart people, that are developing custom detections, or developing our own type of intel to take us to the next level. So, you have to talk about it in that way. The other thing too is, from an outcome perspective, I always try to show, okay, if we’re going to spend this much money and time and resources, or technology, what are the outcomes that I can generate for you? If it’s, okay, well, we need to move to a new workload segmentation, technology in process, what’s that going to get me? Well, I can give you confidence that we can recover faster from a ransomware, or reduce the attack surface. Or, I can also reduce dependency on firewall rules and get less outage time associated with somebody messing up the firewall. Whatever I’m trying to do, I always try to make sure that there’s some kind of outcome that is tangible, that a business leader or technology leader can understand. We hold ourselves accountable to that and measure it.

Close your eyes, breathe in. It’s time for a little security philosophy.

00:26:22:15

David Spark

On Twitter, I asked the question, “What game taught you the most about thinking like a hacker?” Most people, I think, just wrote joke answers like Hangman, or posted their favorite games. But there were some very interesting answers and I want to quote a few of them here. Duncan Watson said, “Diplomacy, because social engineering is king.” Radek Domanski of BMW Group mentioned the game Uplink, where you actually are playing the part of a hacker. Jeff Hall just said, “Taking stuff apart and see how it works.” Lastly, similarly, Adrian Sanabria of CyberRisk Alliance mentioned that there is a game called “There is no Game” and this game doesn’t tell you how you have to play it, you just have to start prodding things. I’m going to ask the same things to both of you and I’ll start with you, Mike. What game trains your mind for security? By the way, do you still play some games just to keep your mind fresh like that, or was there one that sort of preps you for it?

Mike Johnson

I liked Jeff’s answer of taking stuff apart to see how it works. I’m not a gamer, not really ever been much of one.

David Spark

Well, it doesn’t have to be video games, I should also point out.

Mike Johnson

Yes. But I will say, I did play World of Warcraft for a period of time.

David Spark

Yes, what am I talking about? You were addicted to that, weren’t you?

Mike Johnson

I had my moment.

David Spark

By the way, did you see what happened in China? They’re limiting kids’ game time to three hours a week?

Mike Johnson

I’m not surprised. There’s a lot of interesting changes going on.

David Spark

They have addiction centers in China too.

Mike Johnson

But World of Warcraft, all that really teaches you at best is teamwork.

David Spark

There’s some value to that.

Mike Johnson

It’s value, but it’s not necessarily security value. But, if you take things apart, for me, if I’m taking them apart to seeing how they’re work, what’s attractive to me is, that reinforces my curiosity. I can satisfy some curiosity by looking at this thing. So much of security from my perspective really is understanding how they work and not stopping at just the surface level. Letting my curiosity run wild, to understand what’s going on and why? At that point, I can actually have an opinion about what’s going on. When I think about games, that’s where I go to, looking at things differently and then that reinforces that way of looking at things.

David Spark

Good answer. Deneen, did you think about this in terms of games that you play, or have played, to get you to think in a security-hacker-like way?

Deneen DeFiore

I don’t play games either. I don’t know, I lose interest in board games really quickly and I never was a video game person either.

David Spark

By the way, are you one of those people, if you’re losing at a board game, you all of a sudden accidentally sneeze and just throw the whole board in the air?

Deneen DeFiore

No, I’m not one of those people. I’m a good loser. I just never really got into them. But I did think about it from a gaming perspective. I’ll not approach it from the hacker perspective, but maybe more from a decision-making and risk management perspective. I was thinking about the game Battleship, because I did play that when I was little. You’re blind, you don’t know what’s going on, on the other side. You have to make decisions based on limited information and then you have to deal with those consequences, whatever they may be and kind of pull that information in and pivot to win every attack. That’s what’s resonated with me. I remember playing Battleship when I was a little kid with all those little pins and stuff. But that’s what came to my mind.

David Spark

That’s a good analogy, I like that.

Deneen DeFiore

Yes.

David Spark

Well, I thought the answer of Diplomacy was interesting and, also, many of those kind of box games that were of the era of Diplomacy have a lot of negotiating skills in them. Not necessarily thinking like a hacker, but sort of operating in business and also thinking about what the demands and desires of the other players are, which you kind of need to know when you’re thinking about criminals too. You’ve got to think like a hacker, think like the enemy.

Closing

31:01:113

Alright, that brings us to the end of our show. Deneen DeFiore, I’m going to go so far as to say, the best sounding last name of any guest we’ve had, Mike.

Mike Johnson

I agree.

Deneen DeFiore

Awesome. I hope I can keep that title.

Mike Johnson

It will go in the Spark of Records.

David Spark

Spark of Records. The 1980 edition?

Mike Johnson

Yes, the 1980 edition.

David Spark

Thank you so, so much. I’m going to let you have the very last word here. One of the questions I always ask our guests and you teased it early on, so I think I already know the answer. Are you hiring? Make sure you have an answer to that one. I do first want to thank our sponsor Code42. Thank you, again, Code42. They have a very strong focus on insider risk and we’ve been doing a lot with them, talking about insider risk and, most importantly, not the malicious kind of insider risk, but the non-malicious, just the people trying to do their job. For more about that, go to code42.com. Mike, any last words?

Mike Johnson

Deneen, thank you for joining us. It was great to sit down and have the conversation. One of the things I really enjoy so much and treasure about doing this show is, hearing different perspectives. Everyone has had their own path and I really loved hearing and learning a little bit more about yours, how you go to where you are today, some of your ways of thinking. I really liked your discussion and description about how your background and passion is in the aerospace industry and that is what you have used and has kind of propelled you to where you are. That, combined with your security curiosity, has really given you a different perspective. I really appreciate you coming on the show, sharing your perspective and sharing your journey. Thank you.

Deneen DeFiore

Oh, you’re welcome, thank you.

David Spark

By the way, Deneen, do you know how to fly an airplane?

Deneen DeFiore

I do not, no.

David Spark

Have any desires to get a pilot’s license?

Deneen DeFiore

You know, probably not. I think I’ve probably missed that boat. Probably if I was a little bit younger.

David Spark

Alright. Deneen, any last words? Any plugs you want to make for United? Most importantly, are you hiring?

Deneen DeFiore

Sure. I think, from a last words perspective, I would just say, never stop learning. Security is such a dynamic field. Even if you’re a CISO, or Vice-President of whatever, in those leadership positions, make it a point to get grounded in the technology and newest attack methods, because you’re going to have to have that knowledge at least at a base level, in order to be able to make the decisions and help your team break down the barriers they need to do their jobs. So, I’m always learning and always want to. And then, yes, always hiring. We have a ton of positions. At united.com/careers, you can see them out there. We have intel analysts, detection analysts, contact developers, compliance, third party risk. You name it, there’s a position for you. We’re a great place to work and we’d love to have you.

David Spark

You’ll learn about cybersecurity, you’ll learn about aeronautics and, if you get to work with Deneen, you also get to learn about biology. Correct?

Deneen DeFiore

Maybe, if I remember.

David Spark

Oh, well, there you go. Let me quickly ask you. Can you think of anything in your studying of biology that’s ever come into your work currently? Anything?

Deneen DeFiore

Well, the compliance pieces of it, the privacy aspects, yes. When I was working in healthcare, you had to know all that, and especially now with COVID. I was like, hey, I remember how to handle electronic medical records. Just that.

David Spark

There you go. Perfect. Thank you very much, Deneen, thank you very much, Mike. Thank you to our audience, as always. We greatly appreciate your contributions, witting, or unwitting, which, by the way, the majority of them are unwittingly. I always can use more “What’s worse” scenarios. The “What’s worse” scenarios are way too easy for Mike and our guests, so we need tougher ones. We have a mix, we’ve got tough ones and we’ve got ones you’re like, oh, I can handle this one. Thank you everybody, as always, for contributing and listening to the CISO Security Vendor Relationship Podcast.

Voiceover

That wraps up another episode. If you haven’t subscribed to the podcast, please do. If you’re already a subscriber, write a review. This show thrives on your input. Head over to cisoseries.com, and you’ll see plenty of ways to participate, including recording a question or comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@cisoseries.com. Thank you for listening to the “CISO/Security Vendor Relationship Podcast.”