CyberWire Daily - Solution Spotlight on the 2024 NICE Conference Keynote: A Journey with No Destination: A CISO’s Pathway to a Cybersecurity Career. [Special Edition]
Episode Date: June 3, 2024As part of our series on the 2024 NICE Conference, we turn our focus to the one of the keynote speakers of the conference. This year’s conference theme “Strengthening Ecosystems: Aligning Stakehol...ders to Bridge the Cybersecurity Workforce Gap” highlights the collective effort to strengthen the cybersecurity landscape. By joining forces with key partners, we can foster a more robust cybersecurity ecosystem to bridge the workforce gap. In her keynote coming up on Tuesday, June 4th, Deneen DeFiore, Chief Information Security Officer of United Airlines, will discuss "A Journey with No Destination: A CISO’s Pathway to a Cybersecurity Career." Prior to the conference, Simone Petrella, N2K President, caught up with Deneen DeFiore. They discussed Deneen's history with NICE, the importance of prioritizing cyber talent and workforce issues, what stakeholders need to more effectively tackle the cyber skills and experience gap across the profession, and more. Find out more about the The Workforce Framework for Cybersecurity (NICE Framework) (NIST Special Publication 800-181, revision 1). Listen to our podcast about the update. Stay tuned for our coverage of the 2024 NICE Conference. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code n2k. And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, Thank you. that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers by hiding your attack surface,
making apps and IPs invisible, eliminating lateral movement,
connecting users only to specific apps, not the entire network,
continuously verifying every request based on identity and context, Thank you. organization with Zscaler, Zero Trust, and AI. Learn special edition N2K Cyber Wire podcast. Fiore about her upcoming keynote, her history with NICE, the importance of prioritizing
cyber talent, and how stakeholders can more effectively address the cybersecurity skills
gap.
So, Deneen, so excited to have you here today and incredibly excited to hear that you'll be keynoting the
NICE conference in June in Dallas.
Yeah, thanks for having me.
I'm very excited about talking to you today and also about the conference.
It should be a wonderful event.
Now, to kick things off, I did a little bit of digging and I see that you are not a newbie
to the NICE conference.
You have definitely been part of it in the past.
But what first brought you into NICE's orbit?
And why do you think it's important for the industry to prioritize cyber talent and workforce?
Yes.
So I first became aware and involved in the NICE efforts a few years back. And that's really because, you know, we have a significant
problem with attracting and retaining and, you know, just kind of developing our cybersecurity
workforce in pace with the threats, evolution, the digital dependencies, and kind of the state of organizations and businesses today. So
I was really looking for a way to help shape kind of the initiatives and influence and
provide a framework, right, for myself and organizations to be able to help with that issue.
Yeah. And I think for context, would you be willing to share a little bit about your own personal journey into cybersecurity and how has that kind of shaped your viewpoints as
you look at the future of talent here? Sure. So I am not a, I'll say a computer science or
cybersecurity educated by a school or school. I actually have a biology degree. So I got into technology
and cybersecurity because of my experiences and kind of being there probably at the right time,
right place at the right time. I mean, not discounting all the hard work that I put in.
But I had the opportunity to be in the, when cybersecurity was kind of evolving and becoming its own
expertise and domain to kind of grow up in that way and shape my skill sets and approach
to cybersecurity.
So, you know, I had the, I'll say the aptitude and desire to learn.
And I, you know, at that time, back when I was doing this, there wasn't
cybersecurity degrees, right? There wasn't, you know, a big framework or, you know, programs and
curriculums to be able to be a cybersecurity professional. So it was really kind of making,
you know, my experiences and transferable skills into something that would work for the situation and jobs and roles that I was in.
Yeah. Now, I have to ask because you brought up your background and your degree in biology.
And I've been in cybersecurity for 15 years and I'm an international relations major.
So I'm in the same boat.
But, you know, what is your kind of advice or take when you talk to other peers or employers
where now there's so much focus on finding people
who either have a cybersecurity background
or a specific degree.
And I often kind of wonder, like,
are we losing something if we limit ourselves
to now only looking at people
that come from that very limited background?
Because I've worked with some people
who have biology degrees and history degrees
and music degrees.
And, you know, it's kind of created this, like, amazing diversity of thought. Because I've worked with some people who have biology degrees and history degrees and music degrees. Right.
And, you know, it's kind of created this, like, amazing diversity of thought.
And I sometimes worry, like, what are we doing?
Right, I agree.
We're only looking for the cyber degrees.
Yeah, and I think, you know, many diverse backgrounds and experiences to address
the skill set gap and the resource needs that we have across, you know, the cybersecurity
industry.
So, you know, someone took a chance on me and gave me that opportunity.
So I definitely want to figure out a way to pay that back, right, and make sure that those
opportunities are available for folks that do have desire and potential and enthusiasm for getting into this field.
I also think, you know, cybersecurity, you know, I am in the same time frame as you are, you are 15, you know, about 15, 19 years, 15 years in cyber particularly.
15, 19 years, 15 years in cyber particularly. And it still is nascent compared to, you know,
engineering disciplines or computer science disciplines or, you know, even, you know,
accounting or financial disciplines, right? There's years and years and years and years of frameworks and approaches and standards that go into how you do that job. We're still figuring it out, right? So I think
allowing people with that potential and even transferable skill sets, because context matters.
If you know how the organization or the business operates in whatever particular domain,
you may be a procurement or third-party procurement analyst, risk analyst.
You probably could come into cyber very easily with that risk management supplier vendor risk management hat on and learn the specific skills around cyber.
And you just add that to your toolkit and be able to perform well. So being able to cast that net pretty wide, leverage potential and different experiences,
and bring that back into cyber, I think is, you know, a recipe for success.
And I know a lot of organizations are starting to do that now.
Yeah.
I love that perspective, especially I would imagine in the aviation industry where it's
just, you know, such a different business context. And, you know, would you be willing to share some of like,
how are you guys thinking about those types of initiatives within United? And how do you
overcome the balance or the need of, you know, you want the experience in those roles, but then if
there's not enough, you kind of have to put in the time to maybe take someone who has the business context and perspective, but then teach them how to be
successful in a cyber role. Yeah, so we've leaned into that at United, and we have an overall,
an overarching strategy at the business level, right, to whether it be, you know, attracting
talent and training folks to be a pilot, right, and giving them the training and skill sets and experiences they need to grow in that expertise and then come on to United.
We have programs like that, and we have one particularly in digital technology.
It's called Innovate, and there's a cyber innovate pathway in that program. So we're able to bring not only just entry-level or college graduates into that program, but say a mid-career person that worked in airport operations or in tech ops engineering and has a desire to learn the cyber skills.
We bring them into that program and they get rotations, you know,
in different domains of cybersecurity and technology.
And then they're able to also pair that experiences with training, you know, technical
training and skills mastery.
So we give them, you know, whether it be course training online, you know, online or in
instructor-led training.
And then we also provide a chance to get them credentialed and certified in some, you know, online or in instructor-led training. And then we also provide a chance to get them credentialed and certified in some, you know,
in some of the different cybersecurity certifications.
So they're getting that experience, and they're also gaining and proving their capability
and competency across, you know, several domains in cyber.
And then when they're through that pathway, they're able to roll off into a, you know,
full-time role at United.
And they not only know the domain, but they know the organization and our priorities.
And they're able to navigate that first job in cyber a lot better or more successfully than they would kind of coming in cold.
So we've had a lot of success with that, and we're going to continue to expand and leverage and grow that program and concept.
Yeah. Well, the theme of this year's conference is strengthening ecosystems and aligning stakeholders to bridge the cybersecurity workforce gap.
And you've kind of talked a little bit about what United is doing.
What stakeholders are you really—did you have to or do you have to consistently coordinate with to kind of make a program like what you're describing successful? Yeah. So, I mean, this is a commitment, you know, at the, I'll say the
highest levels of the organization across the, you know, because technology and cyber are considered
critical skills to keep United, you know, competitive, innovative, and, you know, in our case, secure and protected.
So, you know, we have a cross-functional group that works together with HR, with government
affairs, with, you know, community outreach, diversity, and inclusion, right? And the technology
experts to kind of put a comprehensive approach and consider all aspects. We just don't really look at it at a, like, just as a talent
pipeline, right? I mean, that's a benefit of what we're trying to do, but it's really a testament
in our commitment to fostering that skills development, bridging skills gap in an
increasingly competitive market, right? Job market and cybersecurity, there's like zero unemployment
with traditional talent and non-traditional talent. So we're really committed to that.
We'll be right back.
Do you know the status of your compliance controls right now? Like right now?
compliance controls right now, like right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. Thank you. Learn more at blackcloak.io.
I talk to folks from a lot of different organizations, and I feel like the answer always is a very wide spectrum of, you know, this is top-down, we have all this great buy-in.
You know, what advice do you have for those who feel really strongly about the issue, but maybe have not been able to form a dedicated and committed group within the organization
that's kind of focused on that?
Like, how do you kind of tell your, you know, like CISO peers, like, this is important,
and you kind of have to advocate for it and maybe get some other people bought in. Yeah. And I think, you know, there are different programs,
whether it be, you know, something like Year Up or a program like that in individual communities
that, you know, organizations that don't have a, you know, a talent pipeline, you know, initiative
or a strategic skills, you know, development program at a
company level, if it's just their department or they're trying to figure out a, you know,
how to solve their particular problem in their organizations, I would say definitely reach out
to the community. There's apprenticeship programs that are being sponsored by,
you know, even some of the government organizations
as well to leverage that. And you can start small, you know, see if that's successful.
And then, you know, once you get that kind of going, then you'll be able to demonstrate that
success and probably gain buy-in, right, to do something a little bit more scalable in your
organization. And I would also say, too, is if you're an organization and maybe you're trying to recruit
a handful or fill gaps with a handful of cyber roles, look for, I'll say, opportunities with
your peers because it could be partnering with the engineering organization or with
the IT organization or with whatever field service with whatever it is in your context that might have the same type of needs, but you can get pull from the same so interesting about NICE and the NICE conference is that it brings together government, academia, and industry to solve this problem. And
to kind of keep going with that theme around stakeholders, and if we broaden that, you know,
how do you think we as a profession can be most successful when we talk about, like, engaging
all three of those large stakeholder groups to really kind of tackle this
issue across the board? Yeah, I think, you know, the collaboration across those stakeholder groups
is key. So really figuring out how collectively we can solve that problem and getting engaged,
you know, we didn't, you know, even to meet our needs at United, like I mentioned, we worked with
our government affairs folks to
reach out to, you know, the folks at NICE to see what we, you know, how we could partner or what
options we had to, you know, accelerate some of the outcomes that we were trying to get. So I
really do think, you know, that collaboration across that, across the stakeholder groups is
great. We continue to develop relationships with different universities
and schools, even at high schools and, you know, different apprenticeship programs and look for
opportunities across the board too that organizations are, you know, trying to accomplish
state outcomes and we try to work collectively together. Yeah. One of the things that I know,
you know, I've had a lot of conversations around with folks is when we talk about the talent and some of the workforce gaps that exist, that it's really more of an experience gap as opposed to a kind of a talent gap, meaning we have this greater need at like the mid and more experienced levels than we do for entry level talent, which creates a little bit of a dichotomy because we have all these graduates who want entry-level jobs, but they can't get them.
And at the same time, you can't kind of make room for them unless you get people to progress up.
So how do you kind of view that conundrum? Yeah, so I think it's important to make a
conscious decision as the leader of an organization as you look at your organizational strategy to
kind of reserve whatever amount of headcount you can, right? Even if it's just a handful
to continuously develop that pipeline, right? So you have to reserve space for those entry-level
jobs and understand that, you know, if it's a person coming right out of college, if it's a
person coming out of, you know, an apprenticeship program, or if it's a person mid-career that's
coming into a completely new domain, that you have to have a support structure that can make them
successful and give them the skills, right, and experiences you need to be in that next role. So we really think about,
you know, those entry-level roles as not that you have to have two years of experience or whatever,
like we're going to set you up to get that, and then you get your, I mean, technically your first
job, right? Because otherwise, that barrier to entry, and that is a problem, you see that all
the time. You see that all the time.
You see commentary on social media or LinkedIn about, you know, I have a cybersecurity degree.
I've done these internships or I've got these certifications on my own and, you know, no one's willing to take a chance on me.
So creating that space intentionally as a leader, even if it's one or two people, you know, one or two positions, if that's all you can spare, is really, really important. And that's going to help that kind of
mindset and approach to organizational development is something I think is that needs to be the norm
going forward. Yeah. And that's a really great point. What you're effectively saying is
growing a pipeline isn't just growing the pipeline to enter the position. It's you have to keep the whole pipeline flowing all the time.
You know, it's not just this, like, I think a lot of times we think about it
as just this singular thing that they, like, get in the door and they're done.
But it has to keep moving throughout, like,
the development of all those roles and positions.
That's right. Yeah.
Danita, is there anything else that you wanted to maybe tease or highlight
as far as what you'll be talking about at the conference here in the first week of June in Dallas, Texas? our approach and journey and sharing some pretty unique and exciting success stories
that we have had with our approach to the Cyber Pathway Innovate program and developing
our organization in a very unique time and industry.
So it should be really cool for those of you who like cybersecurity and maybe even those of you who are aviation geeks, as they call themselves.
Yeah.
Well, no, incredible.
And I'm sure that our audience, we have a sister podcast that actually deals with all things space and aviation, so mostly outer space.
But I have a feeling that audience in particular will be very interested to hear how the intersection of security and aviation kind of comes to light.
I'm really looking forward to your talk in June.
Great, great. I'm looking forward to being there and participating as well.
That's our special edition N2K Cyber Wire program.
Thank you all for joining and thanks to our special guest,
Deneen DeFiore, for sharing their experience and insights.
Remember, N2K's strategic workforce intelligence
optimizes the value of your biggest investment, your people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
Our mixer is Trey Hester with original
music by Elliot Peltzman. Our executive producers are Jennifer Ivan and Brandon Karp. Our executive
editor is Peter Kilby, and I'm Liz Stokes. Thanks for listening. We'll see you back here soon. Thank you. but also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.