Oh no, we’re going to leak company data! That was the first concern when AI tools were first introduced. But now developers and those who are not developers are leaning on AI to write code. We’ve just leveled up. We have a new risk: more insecure code getting to production. How do we start quantifying this new productivity and risk impact?
This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), partner, YL Ventures. Joining us is Deneen DeFiore, Vice President & Chief Information Security Officer, United Airlines.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Vanta
Vanta automates evidence collection needed for audits with over 350 integrations—giving you continuous visibility into your compliance status. And with cross-mapped controls across 30 frameworks, you’ll streamline compliance— and never duplicate your efforts. Learn more at Vanta.com
Full Transcript
Intro
0:00.000
[Voiceover] What I love about cybersecurity. Go!
[Deneen DeFiore] Well, I love cybersecurity because there isn’t a blueprint to follow. Every day you’re waking up and seeing the dynamic threat landscape, responding to new technologies, and it’s really, really energizing for me to be able to do that. The level of innovation and creativity really kind of gets me going.
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark, I am the producer of the CISO Series, and joining me as my co-host, it’s Andy Ellis, a partner with YL Ventures. Andy, say hello to the nice audience.
[Andy Ellis] Good evening, folks, or depending on where you are in the world, good night, good morning, or good afternoon.
[David Spark] Or maybe they’re just listening to us as they’re sleeping and they’re hearing us in their dreams.
[Andy Ellis] It totally possibly could be, in which case, sweet dreams.
[David Spark] Sweet dreams. There you go. We’re available at CISOseries.com, where you can find lots of our wonderful programming out there. And our sponsor for today’s episode is Entro Security, non-human identity and secrets security platform. NHI, non-human identities – this is what they deal with.
More about exactly that a little bit later in the show. Now, Andy, I’m going to bring our guest in right now because you did something that made me think that Deneen deals with this all the time. Now, our guest for today’s show is the VP CISO of United Airlines, Deneen DeFiore. Deneen, welcome to the show.
[Deneen DeFiore] Hi, thanks for having me.
[David Spark] All right, so here’s my question. And Andy said, everyone flies, or most everyone flies. Once you tell someone you work with United Airlines, everyone’s got opinions, everyone lays it on to you. They go, “Oh, I love this, I hate this, yada, yada.” How annoying does it get after a while?
[Laughter]
[Deneen DeFiore] No, it never gets annoying. I’m always I love to hear…
[David Spark] But like you become this customer service representative wherever you go, yes?
[Deneen DeFiore] I do. I do. I do. And people seek me out for that. Not only people I know, people I don’t know on LinkedIn and Twitter or X, whatever it’s called now, they find me and talk to me about it as well, too. But always open to feedback and happy to help.
[David Spark] But if you go to like a cocktail party, you’re out there with friends, they ask what you do, you let them know you work for United Airlines. Do you then get an earful?
[Deneen DeFiore] Yes, I do, I do. I become either the customer service agent or the travel agent, either one.
[Laughter]
[David Spark] So, you’re cool. You’re saying this all with a smile on your face because all I can think is, as Andy was peppering you with his travel things, and he wasn’t specifically attacking you, he was just sort of blaming the entire industry in general and then listing off a series of other airlines, you went along with the whole thing.
It seems like you’re cool with it.
[Deneen DeFiore] I am. I am. And I love the industry, right? There’s always positives, there’s always negatives, there’s always room to improve. But I love aviation. I’ve been in it forever. So, I’m here to stay. I’ll take the feedback.
[Andy Ellis] When I was doing work with Orca, I got to say, Deneen and the whole United crew were fantastic because I would take Orc the orca, the stuffed animal with me on trips, and take pictures in the lounges, on the planes, etc., and everybody was engaging. It was amazing.
[Deneen DeFiore] Yes, we loved it.
[David Spark] It’s just a small stuffed animal. It was no big deal. It wasn’t like you were bringing an actual orca onto the plane.
[Andy Ellis] No, but it was like right as people are coming out of COVID, there’s not a lot of flyers, and so having somebody out there, I provided very direct commentary on the food selection in every single club.
[Laughter]
[Deneen DeFiore] Yes, yes, it was good engagement, great engagement.
[Andy Ellis] Well, we appreciate you being a good sport.
Can’t we all just get along?
3:57.792
[David Spark] “Despite the belief that cyber regulations are helping the organization, there’s a significant difference between CEO and CISO/CSO confidence in their ability to comply with these regulations.” Now that finding came from PWC’s 2025 Global Digital Trust Insights report, and there are some pretty big gaps.
So, less than 2% of executives have implemented cyber resilience across their organization, less than 50% of CISOs have CISOs involved with strategic planning, and CISOs aren’t nearly as optimistic about complying with cybersecurity regulations, particularly around AI. And only 15% of CEOs measure the financial impact of cyber risk.
So, this is like eating an elephant. You just start by taking one bite at a time. Andy, where should CISOs begin chewing to start closing these massive gaps?
[Andy Ellis] So, let me start by throwing some shade at this report.
[David Spark] Okay.
[Andy Ellis] Like first of all, the 2% headline number is only 2% have implemented across the organization in all areas, everything. Like I am surprised you find 2% of the people who are willing to say, “Yes, we have implemented every possible cyber process across every part of our organization.”
[David Spark] It could be 2% are liars too.
[Laughter]
[Andy Ellis] I’m surprised that only 2% are lying. Flip it to the other side of this one, and it seems like that one should be more. So, let’s start with that. Let’s not get scared by the 2% number. Let’s also note that compliance for its own sake, and recognize this is coming out of one of the big four firms, they want you to implement lots of process, pay them lots of money to do it.
I really want a risk-based model, and I think they aim for this, like go where your risk is. But they’re focused on risk quantification. And I think every reader here and listener here knows that I am the person who thinks that cyber risk quantification is snake oil. Like people shouldn’t be doing this.
It’s useful as a way to sort of get your brain in order, but this is not like, since we’ve got Daneen here, it’s not like trying to quantify fuel loss. Like there’s some really easy quantifiable things that you say, “Oh, look, if we fly into stiff headwinds, it costs us this many more dollars.”
But there’s a reason that when the system safety world, which is what good security people learn from, really learns a lot from the airline industry in which you talk about unacceptable losses, not about dollar losses. But there’s a reason that when a plane goes down, airlines stop saying passengers and start saying souls, right?
To basically say, “We’re not going to quantify a loss here. This is just unacceptable.” And if you’re trying to do quantification with unacceptable losses, you’ve already missed the boat.
[David Spark] Well, and that changes industry to industry. Okay. So, there’s a cyber resilience and the resilience that you have at United Airlines is probably very, very different than many other organizations too.
[Deneen DeFiore] Sure.
[David Spark] So, you are probably in this low percentage that has a cyber resilience across your organization. You don’t have to speak to your own specifics for any matter, but whether this is true or not, how do we close gaps in this sort of both CISO and CEO thinking?
[Deneen DeFiore] Right. Well, I think the first bite of the elephant really is to get that alignment between your CEO and your senior leadership because if they don’t see the CISO as an integral part of the leadership team, the strategic planning, we have to make them see that, right? We have to advocate for our roles that we’re enablers of digital trust, not just defenders of threats.
And that means ensuring operational resilience, right? If there is an outage related to a cyber incident, and we can’t fly planes, that’s a real impact on the business, right? Flights get delayed, flights gets canceled. If we don’t meet our customer trust obligations, and people don’t trust our brand because of whatever digital interaction, then that’s a real impact on the business and the bottom line.
So, really getting that alignment and establishing the impact you can make as a leader is really, really important from a cybersecurity perspective.
[David Spark] I’m in a thousand percent agreement here, but can you give me sort of a little like brass tacks feet on the pavement of how does a security leader say, “Hey, I don’t think we’re on the same page here.” How do we get there? Like, how does that actually happen? Because I mean, think about this, even in a marriage, couples have to get an alignment of how they raise the kids.
Like that’s tough, too.
[Deneen DeFiore] Yeah. I mean, it is really that constant communication, and I’ll say alignment to the business objectives. You have to be in the operating rhythms that your operations and your business leaders are, you can’t be separate than that. So, you need to be in the daily start the airline call, right, or start the operations call.
And you have to understand how to connect those dots to say, “Oh, okay. What we’re doing makes a difference, and I need to understand this risk, and I need to communicate now to that operations leader about XYZ.” And it’s different for every business, but you really have to make sure that you are proactively embedding yourself in the operating mechanisms of your business, not just sitting off to the side doing your cyber risk reviews, or your incident reviews, or whatever.
It’s the operational pieces that really make the difference. I always say, like, I know we have to protect data, and we do. But given the state of data protection, as it was now versus 20 years ago, that’s not the table stakes anymore. Protecting the operation and enabling your business outcome is a table stakes for the cybersecurity leader.
It’s not, “Did you have data loss?” Eh, okay. It’s, “We don’t want that to happen.” But it’s really about did you enable the operations to make the money to enable the service to deliver the goods, right, within a timely and safe and quality manner, and if there’s something that happened, can you get it back to normal operations really quickly?
Is AI going to help us, or hurt us?
10:07.211
[David Spark] When we think about AI risk, a lot of times we focus on the models themselves. The more fanciful will invoke sort of a Skynet apocalypse, the more banal concern is leaking company data. But what are the actual risks the output of these models can create? Shaun Waterman at Compiler argued that these can create lazy code, with tools like GitHub Copilot being fantastic resources for seasoned developers, but it can introduce risk in less experienced hands.
Now, as companies see these tools as productivity superchargers, there’s increasing pressure to use them to ship code more quickly than ever. And on the threat actor side, we’re seeing these tools being used to simply extend traditional cyber-attacks, just potentially with more scale. So, Andy, I’ll start with you here.
When it comes to the risk these AI models introduce, what’s your focus? Like, where do you truly see the real risk?
[Andy Ellis] So, I think this is in the right direction. The risk really is around do we trust the output and are we learning from that process, and the best article I have yet read about this was written in 2002, by Joel Spolsky, who writes an blog post called The Law of Leaky Abstractions, and he’s really talking about Java at the time.
And he basically says, look, there’s a lot of things that live under an abstraction barrier that if you understand what’s going on there, you then can see what’s happening above it. When you see your code behave in a certain way, you might be like, “Oh, I probably have a memory leak, or I’m not running on big enough hardware,” whatever it is.
And when you lose that understanding of the knowledge of complexity of what’s going on underneath it, you sort of don’t have the ability to reason about what’s happening. And if you let AI write your code, you just think of AI as basically being like visual basic or Java or something else that’s an abstraction barrier between your prompt engineering and some other level of code, which then has more abstraction barriers below it.
You’re basically living in the penthouse apartment, but you have no idea what the I-beams are that are supporting you.
[David Spark] All right, I throw this to you, Deneen. Do you agree with essentially what was suggested here by Shaun Waterman, as essentially it’s the code it’s producing and the lazy or the inexperienced people having hands on it?
[Deneen DeFiore] Yeah. I mean, I definitely think there’s a risk to that, but I definitely agree with Andy that focus is not just on securing AI itself, but managing the downstream risks of those outputs, right? That requires a shift in mindset. And it’s like you said, that abstraction layer, not viewing AI as a black box, but treating it to that system whose outputs need rigor, testing, governance, all that kind of stuff, right?
It’s been around for a while. GenAI is newer. It’s still code, right? It’s still code, and we still have to do the same things that we do now that we’ve done all that before, right? But we do have to look at the outputs and that systemic digital risk is really important specifically with AI.
Sponsor – Entro Security
13:16.919
[David Spark] Before I go any further, I do want to mention our fantastic sponsor and that is Entro Security. So, here’s a stat that might surprise you – 62% of all secrets are duplicated and stored in multiple locations without most organizations even knowing. Now this duplication creates an even bigger attack surface, leaving you vulnerable to leaks, breaches, and unauthorized access.
When it comes to protecting non-human identities and secrets, knowing where your sensitive data is stored is half the battle. We know this. You can’t protect anything that you don’t know where it is. This is the classic, the assessment of what you have.
So, that’s why Entro Security has developed powerful discovery and inventory capabilities. With just one click, Entro seamlessly integrates with all your systems, mapping historical context of every place where secrets can be stored or potentially exposed. We’re talking about vaults, code repositories, and even collaboration tools.
Entro Security’s discovery and inventory tool identifies these overlaps and gives you complete visibility into where all your secrets live. With this level of insight, you can finally clean up, secure, and control your data in a way that’s never been easier or more efficient. Simplify your security with Entro Security and stay ahead of your non-human identities.
Just go to their website, entro.security. Simple as that.
It’s time to play “What’s Worse?”
14:46.534
[David Spark] It is time for “What’s Worse?” I know you know how to play this game because you’ve played it before, Deneen.
[Deneen DeFiore] I have. [Laughter]
[David Spark] All right. So, just so you know, I make Andy answer first, and then you can agree or disagree with me.
[Andy Ellis] Then you get to agree with me.
[Deneen DeFiore] [Laughter]
[David Spark] You can agree or disagree with him. But I’m going to say this.
[Andy Ellis] David hates it when you agree with me.
[David Spark] Well, first of all, you get the first crack at it too.
[Andy Ellis] Oh, it’s totally unfair. I get the first crack. I get to shape it. If these were perfectly balanced, I would already get a 50% agreement rate.
[David Spark] But it’s hard to get a perfectly balanced one.
[Andy Ellis] I think we’ve had two in the last five years that I thought were complete toss-ups.
[David Spark] Well, they are tough. The way Mike Johnson does it is he goes, when he gets one that’s perfectly balanced, he doesn’t know which one to go, he goes, “I’m just going to pick one and go with it. I’m just going to pick it and argue it, and that’s the direction I’m going.” All right. So, there’s a business aspect to these two “What’s Worse?” scenarios, and there’s a human aspect to it too.
[Andy Ellis] Ooh, I like this already.
[David Spark] So, I’m going to ask you to sort of answer in both ways because there’s a big impact in both directions.
[Andy Ellis] Oh, so I can pick each one for a different category, I love this.
[David Spark] Possibly. Possibly. But I’m interested. This is actually what Jay Dance of StubHub, he’s the one who’s actually submitted many great “What’s Worse?” scenarios.
[Andy Ellis] Oh, yeah. He does fantastic ones.
[David Spark] So, he submitted this. All right. Situation number one, Andy. One of your employees has had a really tough time over the past few months that has worn down their mental health. They’re so frazzled that their actions directly lead to allowing a threat actor to steal three months’ worth of payroll from your business.
Okay?
[Andy Ellis] Okay.
[David Spark] Employee, it’s just a mess, and now you’ve lost a significant amount of money. Or another bad situation for an individual.
[Andy Ellis] And I just want to clarify that we directly believe that it’s because of their mental exhaustion that this something happened.
[David Spark] Yeah. And they accepted to like, “I’m sorry.”
[Andy Ellis] I just want to set the…
[David Spark] They recognize it. They’re a mess.
[Andy Ellis] Yeah. I don’t want Nir to yell at me.
[David Spark] They’re upset. All right. Now, one of your employees is sextorted. The sextortionist terrorizes your employee into installing the means on your business network for threat actors to then steal intellectual property. Now, it hasn’t actually happened yet, but the means is there, and it can be done.
All right? So, in this situation, Andy, which one’s worse?
[Andy Ellis] Okay. So, the human aspect, this is easy. The second one is worse.
[David Spark] Okay.
[Andy Ellis] Straight up. I got no doubts about that one. Obviously, there’s that. Let’s talk about the effect on the company perspective.
[David Spark] Mm-hmm.
[Andy Ellis] You know something? This one’s challenging because I actually want to talk about the manager problem here as well. Because the first one that we talked about, that employee who was frazzled, we have a culture problem.
[David Spark] Right.
[Andy Ellis] That nobody noticed and said, “Hey, let’s do what we can for this employee.” And here’s a really important thing for managers. Don’t go talk to HR at this point. Like if you have somebody who’s mentally worn down and just needs a little break, as a manager, you can basically pay them to not show up to work as long as you don’t tell HR.
[David Spark] By the way, can you say that one… You mentioned a policy that you had that any employee is allowed to let another employee go?
[Andy Ellis] Yeah. Any employee can. We used to have this when I was at Akamai, anybody on my team could send anybody else home. They could just be like, “You should not be in the building,” either emotional or physical. Like, “You’re sneezing, get out of the building,” or “You’re crying, get out of the building.” Unless you’re crying to stay away from somebody outside the building, like, you’ll obviously be sensitive to that problem.
But we didn’t do the right thing by employee number one. Like, let’s just be very clear. This is a self-inflicted wound on our part that we put an employee in a spot. First of all, we had bad systems. I don’t need to know what the breach is. But if a human who’s frazzled can leave a breach open, that means our systems failed, not the human.
So, why they failed is less interesting to me.
The second problem is I’ve got somebody who’s actively gone and installed stuff. Let’s ignore why they did it for a moment. That’s awful. I actually think that’s even worse because now I have functionally a malicious insider. I mean, they’re temporarily malicious. For those of you who want to think about this, go download the Microsoft guidelines for inclusive design, which have nothing to do with security, everything to do with disability, but it talks about how some people are permanently disabled, “I only have one arm,” versus temporarily disabled, “I broke an arm, and so I only have one arm,” or like my dad just had his shoulder replaced.
Or situationally disabled, “I’m carrying a child, so I only have one arm.”
You can think of adversaries the same way. A malicious insider might hate you, they might be frustrated with you, or they might be compromised by an outside person. They still have the sort of same powers. So, I think I’m going to go with the second one, the sextorted employee. Absolutely going to be the worst one, even though I suspect for many people who are within the security management, they’re like, “Oh, I would prefer to have that situation because it gives me a very clear, like, I can feel righteous because we’re going to go after whoever this adversary is because they were an evil, awful person.” It’s sort of cleaner to manage, but it’s a worse situation.
[David Spark] All right.
[Andy Ellis] But it’s not going to actually be clean to manage. You just think it’s going to be.
[David Spark] All right. Deneen, what do you think is worse here?
[Deneen DeFiore] So, I didn’t want to agree with Andy, but I’m going to agree with Andy. [Laughter]
[David Spark] Again, he gets…
[Deneen DeFiore] I was like, “Come on.” I thought he was going in a different direction. But I do think the second scenario is a little bit worse. In the first scenario, even though, agree, culture problem, you have an employee that wasn’t mentally there to be able to do their job, and that’s an issue that you have to take care of.
But if you lose money, you can get that back. Right? You can recover the financial loss, and we know how to do that. If you’re talking about the second situation, there’s a bunch of dimensions there. Right? It’s a person who is coerced that didn’t feel that they could speak up, potential malware on your system that could potentially evade your detection mechanisms, whatever.
Your IP is potentially gone. Who knows if it is not? It’s harder to recover from that type of incident or even potential incident than the first scenario. So, I definitely think the last one is the worst one.
[David Spark] And what Andy said, both in the human and the business aspect.
[Deneen DeFiore] Yeah, yeah, I agree.
[Andy Ellis] Yeah.
They’re young, eager, and want in on cybersecurity.
21:23.164
[David Spark] “What happens is they get the promise of great riches if you get a certification that costs $10,000 to $12,000, and then they get it and can’t get a job.” Now, that comment came up on a cybersecurity subreddit post pointing out people are often sold a trendy career in cybersecurity by social media influencers only to be met with an aggressive job market and no real idea of what it means to work in the field.
Now, I want to just jump in. I had this exact conversation with somebody. We do a monthly meetup in San Diego and a young man goes, “Oh, I’m thinking about doing this cybersecurity program. It’s going to cost me $10,000,” and we were [Inaudible 00:22:10] go, “No, no! Don’t do it! You’re being lured into something.” And then we talked to him, and he said, “Oh, no.
You can do this, this, and this, and there’s other opportunities.” Anyways.
So, let me go on and say this lack of proper expectations for getting a job in cybersecurity is the point of frustration, and we just were recording another episode about this. So, Deneen, I’ll ask you, is there something specific about cybersecurity that seems to attract more “clueless” prospects or does this just happen in any tech field?
I mean, I think it’s if someone’s an influencer and knowledgeable, you just kind of assume, “Well, they know what they’re talking about. They have an audience. So, why would they be wrong?” Where do you think what’s happening here… And by the way, do you agree with this premise I’m throwing out?
[Deneen DeFiore] Well, I don’t think this is unique to cybersecurity, but it happens in other tech fields as well, too. But I think cybersecurity has unique characteristics that maybe amplify the issue. We have an ever-present dynamic threat landscape that really creates a sense of urgency and a perception of endless job demand.
Right? Like there’s whatever the latest and greatest number of millions of cybersecurity jobs that are open, and then the complexity and specialization of some of the roles that we have also make it hard to understand what the actual job really entails. We’ve got, like you said, the certification ecosystem and marketing, with really aggressive marketing that is really saying that this is the pathway into a career.
And many of the entry-level certifications like Security Plus, for example, that everyone gets, suggest that anyone with determination, right, can get started. And while that’s partially true, it really doesn’t provide the depth needed for actual roles. Right? So, I think the frustration is both on the job seeker side, as well as the employer side.
[David Spark] Job seeker and employer, but I’m throwing in this third audience here, which is the ones providing the education and selling them the belief that if you spend 10 to 12K on this certification, you’ll have this very affluent job.
[Deneen DeFiore] Right. Right. While certifications are a good way to get an understanding of the basics and the concepts, really the practical experience is really what matters. Right? And we at United have started a program. It’s called Innovate, and it’s three or four pathways into cybersecurity and technology.
So, we provide a way for folks that are interested in cybersecurity, whether you’re mid-career, maybe you’re a flight attendant or a ramp agent, right, and you want to get into cybersecurity. You know the airline. But you can come in, we’ll train you and we’ll give you the experience to learn the different domains and skill sets for cybersecurity.
And maybe you can transition off into a role. We have the same for early career students coming out of college as well, too.
So, we’re trying to make sure that the experiences and the pathways are there because there’s not a realistic expectation where you go and you spend $10,000 in three weeks or six weeks, whatever, in a boot camp, and then you’re qualified to do what we need you to do to manage cybersecurity risk, to get the hands-on experience.
So, I really do think that the marketing, I’ll say the hype around cybersecurity, you see something happening every day, creates this drama and mystique and allure. And some of those companies feed off that, but we as leaders really have to change that narrative and start to provide, I’ll say, pathways into the career and really start to hire on potential, provide the training and experiences to get qualified candidates.
[David Spark] All right. Andy, I know you have maybe one, possibly two opinions on this topic.
[Andy Ellis] I have a lot of opinions. Several of them agree completely with Deneen, so I’m not going to repeat those. But I like to think of a lot of security jobs as being insertion-level jobs, which is it’s not an entry, but you need to have some set of skills already that we can now reuse. And so I love, especially when very large companies, United Airlines obviously is not a tiny company, you have the ability to say, “Look, we have a whole candidate pool that already works for us that we don’t have to teach them our business.
And in fact, they’re going to bring business knowledge to us.” Like there’s things that a gate agent knows that I think Deneen wishes every one of her staff knew.
[Deneen DeFiore] Right. Exactly. [Laughter]
[Andy Ellis] So, like a gate agent coming on board, it’s fantastic. You’re like, “Great. Like, yeah.” How important is it that every channel for communication has the same departure time in it? Very important because your passengers get really confused when different numbers are there. Gate agent knows that intuitively, whereas somebody else coming off the street doesn’t.
[Deneen DeFiore] Exactly.
[Andy Ellis] I want to point out this $10,000 to $12,000 number, which is not crazy in this industry, except that’s Ivy League education number. Just to be very clear, these are people who are claiming to give you an Ivy League education in cybersecurity.
[David Spark] I’m sorry, Ivy League costs a lot more than 10 to 12K.
[Andy Ellis] It does, but you’re not done in six weeks.
[David Spark] [Laughter]
[Andy Ellis] So, they’re basically saying, “Oh, we’re going to give you six weeks of an Ivy League education.” That’s the pricing.
[David Spark] Well, no, they’re pricing it at ROI levels. Like, “We charge this because we think you’re going to make more.”
[Andy Ellis] Right. But they failed to do that. And in fact, I recently saw some discussion in a forum about one of these that said that people who’d come to their program should list it on their resume as an internship.
[David Spark] Really?
[Andy Ellis] That you were a cybersecurity intern, not going to this class, and I’m like, “That just tells me how unethical some of these players are.” Many of them are not. Just to be very clear, let’s not throw this whole industry under the bus. A lot of folks have really positive, they’re really trying to help and say, “Hey, let’s give you some basics.”
[David Spark] Which, by the way, this is the one I want to separate. I think the education they’re doing is solid because I haven’t had arguments about the education, but it’s more the selling of the education.
[Andy Ellis] Well, there’s the selling of the education, but I don’t actually think the education is the right thing yet. I’m not saying that it’s bad, but I’m saying that it’s sort of an academic, like we’re going to teach you how to use these tools, how to do these things. But if you don’t have that in the context of a specific job, right, what does pentesting matter?
Like everybody who’s ever done a pentest or a vulnerability scan or whatever it is, the first time you do it in a production environment, then you try to hand the results to an engineer and say, “Fix all of this,” it’s eye opening. And so teaching somebody how to do one without the other, I’m not actually convinced that’s a solid education.
Attention CISOs! Your expert opinion is needed.
28:49.233
[David Spark] Is cyber insurance feasible for smaller businesses? Zia Muhammad and Jeremy Straub argued that while insurance is a piece of the risk management toolkit, the cost puts it out of reach for SMBs. The National Association of Insurance Commissioners saw cyber insurance premiums up 50% on the year in 2022.
Now, that’s the last year we have figures from them. So, that issue is getting more acute. They suggest regulatory action could help in two ways. The most direct path could see the government subsidize insurance premiums for smaller businesses, but the other would be making it clearer what an insurance policy actually covers, with similar “nutrition labels” we’ve seen on everything from appliances to broadband service.
So, my question is – I’ll start with you, Deneen – is the cyber insurance market changing so quickly that SMBs don’t have the resources to keep up with changes in policy requirements and coverage, even if they could afford it? So, that’s an interesting thing because it is changing very fast.
[Deneen DeFiore] Yes. Yeah. I mean, every year, right, cyber insurance policies and reviews, applications get more and more complicated, and they get more in depth. And I’ve heard some of my peers talk where it used to be a 200 questions that they would answer. Now it’s four days of eight-hour meetings talking to and reviewing things.
[David Spark] Jeez, really?
[Deneen DeFiore] Yeah, yeah, yeah.
[David Spark] Well, that makes the 200 questionnaires, that’s a walk in the park now.
[Andy Ellis] Right. With underwriters from like seven different firms in the room. Like it’s not you in one on one. You have your broker who brought in the underwriters, and you have to talk to all of them.
[Deneen DeFiore] All the towers. Yeah. Yeah. So, that’s kind of the way we’re going. And at a large company, people can handle that. At a small-, medium-sized business, there’s no way they can handle that, right? And the expectations around, I’ll say, hygiene to have, yes, okay, well, everybody needs MFA.
Okay, everybody needs MFA. Small-, medium-sized business, there’s not 100%. There’s not 98 to 100% coverage of every single control. So, I don’t think it’s the way we have set it up. It’s realistic that small-, medium-sized businesses are able to manage, afford. And then even if they do get cyber insurance, they’re not insured to the level that they need to be.
Large businesses are not insured to the level that they need to be.
When you have a cybersecurity incident, the result of that incident is not just the disruption to your business or the valuation of the data. It is years and years of dealing with the output and fallout, litigation, external legal fees, orders from different regulatory agencies that you have to comply with, all those things that add up over time.
So, long answer to your question, I just don’t think the model’s feasible for small-, medium-sized businesses at this point.
[David Spark] Let me throw this out to both of you and I’ll have you, Andy, start first. My argument with just cyber insurance in general is, first of all, I don’t understand how they price anything because they don’t have these decades of actuarial tables that other parts of the insurance industry have.
And even if they did, cyber and essentially the attack surface and the attackers are changing so drastically. Like literally, could you compare what happened three, four years ago with what’s happening today?
[Andy Ellis] Well, in fact, that’s why the premiums went up so much in 2022 was that 2021 was the year in which there was a preference cascade in which companies said, “Oh, disclosing a breach isn’t such a bad thing. I’ll go tell my insurance carrier about it,” because so many people got hit with ransomware, and so everybody was filing claims for ransomware breaches, whereas 2020 and before, people weren’t really filing claims.
Companies were basically self-insured with this external insurance agency, partially as a backstop, partially like I had to tell Deneen that I had cyber insurance so that she would pay me money for other services. So, I had to go get insurance, even though I didn’t use it because it was just an expectation.
Like that’s the large business world, and that’s what drives that top-end number.
But let’s also pay attention to the low-end number here, which is small and medium businesses are not going through this massive, “Oh, I got to go talk to all the underwriters,” and their cyber risk is not something insurance can really help them with. Because what does insurance help you do, right?
It pays for some of your losses, pays for your system recovery, notification, etc. But I remembered a bunch of cases. There was like one small medical practice that shut its doors, got hit with ransomware. And being down for three days, they were already basically living on break-even, and they were debating closing anyway.
Like, “Okay, what point do we get out of this business? It sucks. Oh, I don’t have any systems anymore. It’s not worth the hassle to come back.” Like that’s the real resilience challenge is the lack of economic resilience in the small and medium business market to survive a multi-day cyber issue.
[David Spark] So, Deneen, I’ll let you close this out. Do you think the fact that SMBs can’t keep up is something they should actually be happy about in a way?
[Laughter]
[Deneen DeFiore] Yeah. I mean, some of the burden and the kind of administrative minutiae that comes with it, right? They don’t have to deal with that. I do think though, some of the benefits around just having an understanding of what that baseline is though is important for everybody to get on board.
Right? If there’s an expectation that we all have phishing-resisting MFA right now because regular MFA is not going to cut it or hasn’t cut it for years, right? That should be kind of a good outcome of this whole discussion, right? But I don’t know that that’s going to happen.
Closing
34:43.986
[David Spark] Well, that brings us to the very, very end of this episode. I want to thank Deneen and Andy for helping on the show. I’m going to let you, Deneen, have the very last word here, but I do want to thank our sponsor and that’d be Entro Security. Remember, go to their website, entro.security, and look at what they’re offering for non-human identity and secrets security platform.
Your non-human identities are growing at a much higher rate than your humans are. Actually, they multiply a lot faster. Even if we had a baby boom, they wouldn’t grow at the rate that the non-human identities are growing. So, that is happening in your environment. Go take a look at what they’re doing at Entro Security.
Andy, thank you, as always. And Deneen, the question I always like to ask our guests is if you are hiring. Are you hiring at United?
[Deneen DeFiore] Yeah, we’re absolutely hiring in cybersecurity, digital technology, data analytics. You can check out our careers.united.com site and there’s listings for over a hundred jobs right now. So, definitely check it out.
[David Spark] Oh, wow. Lots and lots of positions. Would it help if they contacted you via LinkedIn and said, “I heard you on the CISO Series”? Would it help at all whatsoever?
[Deneen DeFiore] It depends. [Laughter]
[Andy Ellis] Hey. Very, very good political answer there.
[Deneen DeFiore] It depends.
[Andy Ellis] Take a picture with the United logo behind you. You get better engagement that way.
[Deneen DeFiore] Yes. Yeah, yeah, yeah, yeah, yeah.
[David Spark] The United logo with the CISO Series logo together.
[Andy Ellis] Ooh.
[David Spark] There you go.
[Deneen DeFiore] Hey, that could work.
[David Spark] I like that, I like that.
[Deneen DeFiore] [Laughter]
[David Spark] Thank you again, Deneen. Thank you very much, Andy. And thank you, audience. We greatly appreciate your contributions – send in more “What’s Worse?” scenarios – and listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meetup, and Cyber Security Headlines Week in Review. This show thrives on your input.
Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series Podcast.