Deneen DeFiore was completing a master’s program in healthcare administration when she stumbled into technology and cybersecurity.

“We were switching to electronic medical records and I kind of just gravitated to that, understanding the process and connecting all the dots. So I ended up moving into the technology space, and then evolving over time,” recalled DeFiore, Vice President and Chief Information Security Officer at United Airlines.

After taking on various roles in infrastructure technology, she went to work as a Chief Information Officer for a small business unit, where she experienced her first cyber incident. She learned quickly and tackled it on the fly, because such incidents were rarer in those days.

“It just clicked with me: This is going to be the next big thing because at the time, every company was beginning to go through a digital transformation, and technology was accelerating different capabilities across different industries,” she said. “I got through that experience and I was hooked.”

DeFiore’s career history set the theme for her career progression: Identifying a messy problem and figuring out how to fix it. She calls it “a journey with no destination.”

“Every day is different. There are new opportunities, new capabilities, and things change on a dime,” she said. “That has influenced how I determine what to work on, where I go next, and what I want to accomplish.”

At United, DeFiore manages cybersecurity and digital risk across an aviation ecosystem that ranges from network protection to connected aircraft. She joined the airline six weeks before the Covid-19 pandemic struck and had to pivot into crisis management almost immediately.

“We instrumented and secured remote access in a couple of weeks,” she recalled. “What would have taken 18 months before took only a matter of weeks.”

The move to United “was a big life decision,” she said, taken after she had spent 19 years at GE, including six at GE Aviation.

“I was excited about taking on a new challenge and opportunity, but I had grown up in the company I was with previously,” she said. “I knew the structures, the processes, the people, the culture. I had credibility going into United because I worked in the aviation sector, but I didn’t have those trusted relationships. So for the first three months, even when managing a crisis, I was actively listening and understanding what people cared about and developing those trusted relationships. I’m not going to lie, there were days when I asked myself, ‘What did I do?’ But it definitely made me stronger and I learned at an accelerated pace. It was a great choice.”

DeFiore’s biggest challenge is connectedness and the scope of what CISOs have to think about. “We’re managing systemic digital risk, but we’ve also to think about the broader environment we operate in,” she said.

Another challenge is the pace of change in technology adoption.

“The way technology is consumed is a lot different than a few years ago,” she said. “We have to create a framework so people can understand digital risk and the consequences of the choices they make. We’re not always going to be embedded in every single project or every single initiative or conversation at the airlines, so we have to figure out how to make sure people have the right information to do their jobs compliantly and securely.”

DeFiore sees a lot of opportunity to think about cybersecurity differently. When it comes to security awareness, for example, it’s going beyond giving people information about how to detect a phish or suspicious email. “It’s about giving people bits of information in the moment when they’re doing their jobs, so they can recognize a risk and understand the consequences,” she said.

She’s also trying to do a lot of engineering solutioning to help United stay ahead of threat.

“We take advantage of commercial tools and platforms, and try to leverage them as much as we can,” she said. “We understand the threat actors and the risks in our environments, and evaluate our commercial tools to figure out the gaps.”

Like other CISOs, DeFiore is grappling with a personnel shortage, so she’s looking at different pools of talent and transferable skills to get people into cyber. She’s partnering with colleges for curriculum influence, and recruiting early on. She’s also taking mid-career workers who didn’t go the traditional college degree route and transitioning them into cyber.

With as massive an operation as United Airlines, you can’t put controls in every part, DeFiore said. “We try to figure out where we can leverage the workforce to do their jobs, or raise awareness of opportunities for improvement, and work with our team to close the loop,” she said.

United’s cyber organization rests on three pillars.

“One is to be brilliant at the basics,” she said. “Yes, we’re doing vulnerability management, but we’re also figuring out how to identify vulnerabilities quicker and remediate them faster, to make sure that baseline cyber hygiene controls are in place and continuously monitored so they are effective.”

The second pillar is advancing the organization’s capabilities as the threat and technology environments change. “We have to continuously look at our program to see what else we need to have to protect critical applications and systems and recover quickly,” she said.

The final pillar is aligning to business goals and growth targets, as the airline acquires new aircraft, new hires, new terminals and new routes. “We need to make sure that we are designing securely and supporting those outcomes in a secure fashion,” she said.

DeFiore has watched the CISO’s role evolve from a technology-focused world to more of a business risk role.

“There has definitely been an accelerated shift in the past couple of years because of the threat environment that you see,” she said. “Geopolitical conflicts are a much more tangible connection that business leaders are making, giving CISOs a role in risk-management discussions.”

On a macro level, the volume of cyber attacks is rising exponentially, DeFiore said. “It’s not just cyber crime, but even nation-states have shifted tactics,” she said.

“We’re not just looking at IP theft to gain economic advantage, but at a lot more disruption and disinformation as everyone moves into more digital interaction. There is a whole shadow industry that’s fraudulent, like bogus travel agencies that claim to help you but take your money or your miles. Or illegitimate contact centers that are set up to scam customers. We’ve seen a real high spike in that. Digital fraud has been around forever, but it’s more prevalent and in your face now.”

A successful CISO, she said, needs a baseline understanding of technical concepts because most of the controls and approaches they put in place are technical. But business acumen is crucial, she added.

“You really need to understand what your organization is trying to accomplish and how you enable those outcomes in a manner that has a risk-management focus,” she said. “There are tons of things that I, as a cybersecurity professional, would never do. But I understand the opportunity from the perspective of revenue generation or customer experience, so I have to figure out how to do it in a manner that reduces risk to an acceptable level.”

As a rare woman in the CISO’s seat, DeFiore urges women cybersecurity practitioners to have more confidence in their skills.

“One thing that I’ve noticed as a trend as a woman in cybersecurity – and this has been proven in a lot of research – is that we feel we have to have all the boxes checked to go after a job, instead of looking at what transferable skills we have, like baseline analytical skills and willingness and ability to learn,” she said.

“My experience has been that despite ups and downs, when I have put myself out there, things have always worked out. I’m passionate about the industry. I like to learn, I like to do research, talk to people and connect the dots. I would encourage other women to think about that as well.”

DeFiore does a lot of mentoring, and she also thinks sponsorship is important. “Having someone in your network who will sponsor and advocate for you – and even look out for you and push you into opportunities – is so important. I’ve tried to make it a priority to not only mentor, but where I can, have a trusted relationship, advocating for people, and women especially.”

To relieve the relentless pressures of her job, DeFiore schedules time for herself. “I block out my calendar for three hours on a Friday afternoon so I can just level set, rest and think about what I need to focus on,” she said. “I also work for an airline, so I’m going to take advantage of that and purposely take a week off every quarter to disconnect and be with my family. It’s important to let your mind go, trust your team, and trust your operations.”

Running allows her to clear her mind, and she also enjoys gardening.

Sometimes during repetitive tasks like deadheading perennials for two hours, “you get a great idea because you’re not thinking directly about what’s happening,” she said.

“That also helps me to level set and get me a little grounded.”