Many corporate IT security organizations are starting to realign their strategies by taking less of a technology-focused approach and instead prioritizing what’s most important from a global business perspective according to Emily Heath, VP and CISO at United Airlines.
This approach requires security teams to develop an understanding of the most critical functions that drive the company, and the various needs and risks of each business department — something Heath herself seeks to achieve in her role at the airline carrier.
“What the business thinks is important enough for us to secure is how we should be approaching it,” said Heath in a keynote speech at the 2019 RSA conference in San Francisco this week. “I probably spend less than 10 percent of my time with technology. I spend 90 percent of my time with legal, with business partners, with corporate communications, with human resources, with the tech ops folks who run the operations for us. I spend a lot of time with the business trying to understand what they do so I can apply the right strategies to security in their environment.”
Putting business over technology is one part of Heath’s three-pronged security philosophy. The second component is developing a security culture and brand and weaving it into the fabric of the United’s operations. This involves being honest and transparent about security and threats, spearheading the education of employees and executives and openly embracing creative solutions to various threats.
“We’re the first sometimes to blame our colleagues and say, ‘Well, they keep opening up these phishing emails,” said Heath. But “It’s our responsibility to educate them,” she added, noting that to curb such behaviors United runs simulated phishing attack campaigns and tracks how employees respond.
“What’s most important about it is taking the data from behind the scenes and turning that into something useful,” Heath continued. “If the finance team is having a particularly high click rate one month, maybe we’ll dedicate and [run] a security training program just tailored toward finance.”
The third and final aspect of Heath’s security philosophy is to develop a diverse, multifaceted workforce to maximize available talent. According to Heath, 46 percent of United’s cyber team is female and 48 percent are people of color.
But diversity doesn’t just mean cultural and ethnic backgrounds. United is also looking for a wide range of education and career backgrounds.
“I feel really strongly about hiring people for their skills and not for their titles. And the reason for that is because a lot of these cybersecurity problems that we’re all trying to solve right now have never been solved before,” said Heath. Limiting the talent pool to just cybersecurity professionals with computer science degrees is actually counterproductive, she continued.
“To me, ‘diverse teams’ translates to ‘creative teams,'” she said.