United Airlines CISO: To soar, security teams must focus on business, not technology

News by Bradley Barth

Many corporate IT security organisations are starting to realign their strategies by taking less of a technology-focused approach and instead prioritising what's most important from a global business perspective according to Emily Heath, VP and CISO at United Airlines in the US.

Many corporate IT security organisations are starting to realign their strategies by taking less of a technology-focused approach and instead prioritising what’s most important from a global business perspective according to Emily Heath, VP and CISO at United Airlines in the US.

This approach requires security teams to develop an understanding of the most critical functions that drive the company, and the various needs and risks of each business department — something Heath herself seeks to achieve in her role at the airline carrier.

"What the business thinks is important enough for us to secure is how we should be approaching it," said Heath in a keynote speech at the 2019 RSA conference in San Francisco, USA this week. "I probably spend less than 10 percent of my time with technology. I spend 90 percent of my time with legal, with business partners, with corporate communications, with human resources, with the tech ops folks who run the operations for us. I spend a lot of time with the business trying to understand what they do so I can apply the right strategies to security in their environment."

Putting business over technology is one part of Heath’s three-pronged security philosophy. The second component is developing a security culture and brand and weaving it into the fabric of the United’s operations. This involves being honest and transparent about security and threats, spearheading the education of employees and executives and openly embracing creative solutions to various threats.

"We’re the first sometimes to blame our colleagues and say, ‘Well, they keep opening up these phishing emails," said Heath. But "It’s our responsibility to educate them," she added, noting that to curb such behaviors United runs simulated phishing attack campaigns and tracks how employees respond.

"What’s most important about it is taking the data from behind the scenes and turning that into something useful," Heath continued. "If the finance team is having a particularly high click rate one month, maybe we’ll dedicate and [run] a security training program just tailored toward finance."

The third and final aspect of Heath’s security philosophy is to develop a diverse, multifaceted workforce to maximise available talent. According to Heath, 46 percent of United’s cyber-team is female and 48 percent are people of colour.

But diversity doesn’t just mean cultural and ethnic backgrounds. United is also looking for a wide range of education and career backgrounds.

"I feel really strongly about hiring people for their skills and not for their titles. And the reason for that is because a lot of these cyber-security problems that we’re all trying to solve right now have never been solved before," said Heath. Limiting the talent pool to just cyber-security professionals with computer science degrees is actually counterproductive, she continued.

"To me, ‘diverse teams’ translates to ‘creative teams,'" she said.

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming event 

Webcast: Understanding this year's biggest adversaries - and how to combat them 

Nation-state activity, versatile, slippery strategies and Big Game Hunting - the threats are real, dangerous and ever changing. 
Brought to you in partnership with Crowdstrike