Delta CISO Debbie Wheeler: Security can’t be seen as a competitive advantage

Delta Air Lines CISO Debbie Wheeler has a vast environment to secure, ranging from the corporate systems that are typical for any business to customer interfaces to kiosks sitting in airports around the world—and the slew of data coming in from all the applications that they house.

Moreover, Wheeler and her security team have responsibility for not only traditional IT systems but operational technology and internet of things deployments in locations from Asia to Africa to the Americas.

They must secure tens of thousands of employees situated all over the globe, many of whom continue to work remotely.

And they must consider, too, Delta’s connections to the shared systems that exist within all the airports that Delta serves.

On top of all that, Wheeler and her cybersecurity department coordinate with the technical operations group, a specialized team trained in the mechanical and e-enabled operations of the aircraft to ensure the safety and security of planes that have become both mechanically complex and highly computerized. (Wheeler says she and others sometimes refer to modern aircraft as “flying data centers.”)

Wheeler, who joined Delta as its CISO in 2017, readily acknowledges the complexity and criticality of security in the aviation industry.

The volume and type of data that airlines collect makes them attractive targets to hackers. The critical nature of the industry makes it a target, too; in fact, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and the National Security Agency (NSA) in January warned of increased Russian state-sponsored cyber threats against U.S. critical infrastructure.

The pressure is on, Wheeler says: “In the aviation space, we’re dealing with the potential for a life event.”

Earning her wings

Wheeler draws on the extensive experience she has gained during her nearly three decades in the technology and security profession to run Delta’s security team.

She started as a network engineer for MCI, a job that early on put her into a security project. She built her security chops from there, moving up in the security ranks first at a healthcare company and then in the financial services industry. She had served as CISO for three financial firms, including Freddie Mac, before joining Delta five years ago.

Wheeler leans on those experiences to shape her strategy for Delta, explaining that core cybersecurity challenges and solutions transcend companies and any single industry.

“There are quite a few similarities—from the threats we experience to the technology we use,” she adds.

She says the breadth of her experience has also taught her that security fundamentals will carry any security strategy, regardless of the organization or industry, quite far.

As such, Wheeler puts the basics at the heart of her approach, saying that understanding the environment, inventorying its components, assessing risks, implementing robust patch/vulnerability management, a robust employee awareness and training program, and having sound policies for identity and access management are key elements for successfully securing any environment—including one as vast as Delta’s.

“Then you layer on top of that,” she says. “You get the basics right, then you can build all levels of complexity on top of those.”

Taking on the challenges

There are, of course, challenges to success, and Wheeler doesn’t shy away from naming them.

She says one of the top, as well as one of the most obvious, challenges is getting a clear understanding of and good visibility into the technology environment; that’s particularly true in the complex ecosystem that exists in the aviation industry.

Another top challenge is managing the risks that people themselves pose to security and getting them to embrace the part they must play in securing the systems and data they use, she says.

The task of selecting, leveraging, and prioritizing the right security policies, procedures, and technology also creates a challenge; Wheeler notes that she, like all CISOs, must balance security initiatives against risk and business enablement.

As a case in point, Wheeler points to the challenge of balancing security requirements and a good customer user experience. She says she has not implemented a policy that forces customers to change their passwords after a certain amount of time in use, because even though it’s an additional layer of protection, customers don’t always welcome such measures. That then requires security to find alternate measures, such implementing multifactor authentication—a move that Wheeler says she’s now exploring for customer use.

The network effect

And she’s collaborating with others, leaning on security researchers and other CISOs to identify vulnerabilities, risks, and threats.

Wheeler says such collaboration and information-sharing is critical if security leaders want to gain any advantage over the bad actors out there.

“The degree to which we can have that army for good, that’s where the playing field will get level,” she says. “We’re part of a broader network, and we’ve got to realize the strength that comes with being part of that broader network and the change we can effect.”

She adds: “We have to get to the point where security can’t be seen as a competitive advantage; it can’t be what we use to succeed against a competitor. Security has to be one of those areas where we come together to share best practices. Some of those might not be for everyone, but the sharing of them will serve us all and help us all to be stronger. And that’s what we need.”