The Next Big Question

Episode 24
Hosted by: Collin Lingo and Liz Ramey

Deborah Wheeler

CISO

Delta Air Lines

Deborah Wheeler is the Chief Information Security Officer at Delta Air Lines, a role she has held since 2017. Prior to that, Deborah was CISO at Freddie Mac, Ally Financial, and Fifth Third Bank. She is also an Independent Board Director.

How Can C-Suite Leaders Engage Policymakers on Cybersecurity?


AUGUST 28, 2022

This time on The Next Big Question podcast, CISO Deborah Wheeler of Delta Air Lines leads a conversation about cybersecurity and how private industry can engage with government entities in the security space. She discusses the current threat landscape, the need for public-private collaboration, and the risks if these public-private conversations don’t take place. She also shares her route into cybersecurity leadership and how to recruit more talent into the field.

/

Liz Ramey (00:13):

Welcome to The Next Big Question, a podcast with senior business leaders sharing their vision for tomorrow, brought to you by Evanta, a Gartner company.

Each episode features a question with C-suite executives about the future of their roles, organizations, and industries. Thanks for listening. I’m your host, Liz Ramey.

Now, let’s hear what today’s Next Big Question is. In this episode, Collin Lingo joins me as a co-host. Collin is a Content Manager here at Evanta, specializing in the Chief Information Security Officer.

Today, Collin and I speak with Debbie Wheeler, the Chief Information Security Officer at Delta Air Lines. We ask Debbie the question, “Why should C-level executives build public and private partnerships?” With a view on cybersecurity and ensuring the entities that govern us are as educated as possible, Debbie gives her insights into what we should be doing and what will happen if we don’t do anything at all. Let’s hear what Debbie has to bring to this topic. 

Liz Ramey (01:22)

Debbie Wheeler. Welcome to The Next Big Question. 

Deborah Wheeler (01:25)

Hello, Liz. 

Liz Ramey (01:26)

Debbie, we're going to get started just gaining an understanding of your journey to the C-suite. So we'd love to hear about your story, and how did you get to where you are today? 

Deborah Wheeler (01:38)

Well, I think my role I would describe as accidental. I never set out to study cybersecurity specifically. I was working actually in a law firm right after high school and was asked to investigate computers as a potential replacement for the typewriters we were using at the time. And so I got involved in evaluating some of the early computers that were available for business offices, and it just kind of developed from there. It was an interest and a love of the technology, early technology, and then pursuing that through college and winding up in the computer field or the information technology field. 

When I had the opportunity while I was working at MCI as a network engineer to do a security project at the request of my manager of the time, and I fell in love with it at that point. The whole idea around why people would do bad things with technology, I think the psychology of it was of great interest to me. And from that point forward, my career in information security was kind of cemented. And every role I had after my initial role at MCI was in information security or what we today call cybersecurity. So, that's how it started and how I got here. 

Collin Lingo (03:06)

That is one of the more unusual routes I've ever heard. And I love it. I love that story. One thing I wanted to talk to you about, a little background information on our topic today. So, let's get some background information from you, Debbie. What's the threat landscape for both private and public sectors look like right now, and how have they traditionally worked together to fight cyber threats? 

Deborah Wheeler (03:35)

Well, I think the threat landscape, we view it differently, obviously. In the corporate world, we talk about threat in terms of nation state, organized crime, hacktivist. In our personal lives, we talk about threat in terms of some of the phishing threats that we experience as individuals, typically targeting our bank accounts or our retirement accounts. It tends to be very, very focused on our financial well-being, the threats we experience personally. In the business world, those threats obviously take many shapes, many forms from financial threat to other types of threat, including ransomware or just chaos. In terms of private-public partnerships, throughout the course of my career, I have observed many, many overtures by the federal government to engage with the private sector in terms of what we are seeing and what we are experiencing as companies or corporations with respect to cyber threat. And perhaps the most formalized of those overtures occurred through the FBI's InfraGuard project, which came about in the early nineties, or maybe it was the late nineties at this point, which really was the first attempts by the federal government to engage with and engage in conversations with the private sector. 

Liz Ramey (05:03)

Fascinating. And so, Debbie, what sort of gaps are there today in the government's understanding and practices of cybersecurity from your lens? And what can the private sector teach them to bridge those gaps? 

Deborah Wheeler (05:24)

So, from my perspective, what I have experienced, what I have seen – and I've worked in a couple of different industries, I worked in financial services prior to my current role in the aviation space. What I have seen is we've got overtures by the government to start regulating cybersecurity practices and regulating cybersecurity controls. And in many instances, the individuals attempting to do that regulation have little to no understanding of cybersecurity or cybersecurity practices, particularly within a given industry. 

So, you've got this mismatch between expectation and policy and the practice and what actually is happening. And that is a gap we're trying to bridge from my current role and the role my team plays by engaging in more and more conversation, both with industry groups that have dialog with the government entities that are attempting to do or enforce this regulation, as well as direct contacts with those government entities or with subcommittees that inform and recommend practices to these government entities. So that they have a better understanding of what's actually happening in a particular industry with respect to cybersecurity practices. 

Liz Ramey (06:49)

So, when we're thinking about this kind of this bigger picture of the private and public sector working together, bridging the gap, who do you see as responsible for the first step? And, you know, adding to that, how should C-level executives get the conversation started? 

Deborah Wheeler (07:10)

I think the federal government has a responsibility to take the first step in engaging with private industry when they are looking at or contemplating regulation around cybersecurity. And I think it needs to be with the intent of learning what current practices are in that industry and what current gaps are in that industry, and then working collaboratively to propose regulation that makes sense and is a first step. I saw this happen in the financial services sector, and it was successful. And with each succeeding year, maybe there was additional regulation or additional refinement of regulation that occurred. And it got to a point where there was collaboration, strong collaboration, between financial services and the various regulatory entities within the federal government around cybersecurity practice and cybersecurity controls. So, I'd like to see that happen more uniformly across all of the regulatory entities in the federal government that have responsibility for the varying aspects of critical infrastructure. 

Collin Lingo (08:25)

Debbie, what's it going to take to get to a turning point in that conversation, if there hasn't been one already? 

Deborah Wheeler (08:30)

Well, I think part of it is the engagement by industry groups as well in those conversations with the federal government. In our industry, that might be the A for A group, Airlines for America. It can also be through the ISAC, the aviation ISAC, in my industry. Prior it was through the FS ISAC when I was in financial services, but it requires conversation. And if government can't have that conversation individually with various corporations, there are these industry groups that represent a multitude of corporations or a multitude of business in a particular sector that government should be engaging with directly. So, that's what I'd like to see more of -- more conversation. And if that means doing it through these industry groups, great. But we're certainly always looking for those opportunities as an individual, private entity to engage in those conversations, as well. 

Liz Ramey (09:32)

So, thinking about this from an enterprise perspective, well, and actually, you know, just even as a kind of a nation, what's at risk if there's no action taken? 

Deborah Wheeler (09:44)

Well, I think if you talk with anybody in the security space, they would probably all agree that as a country, we're behind the eight ball when it comes to cybersecurity. And we need to catch up. And what that's going to require is increasing conversations between government and the private sector and agreement, rapid agreement, on security controls that can be enabled across industry sectors. There's also going to need to be conversations around the budget that's required because a lot of large industries depend on smaller, midsize entities in order to function or offer services or for various aspects of their operating environment. 

And I know one of the conversations we frequently have when we talk about this at our industry groups is – some of those smaller organizations cannot afford the type of security controls that a large company like Delta Air Lines is able to implement. So, how do we have a conversation and how do we implement security controls that provide critical infrastructure with the best possible protections, but do that uniformly between the largest as well as the smallest players in a particular industry. So, there's got to be conversation with government around how we enact that, how we enable that. Are there ways or means that government can participate and help some of these smaller entities along in their control environment, either through credits or grant programs or some such thing? Or is there going to be an expectation that larger companies have a hand in helping some of the smaller entities along? I don't know, but there has to be conversation, and that's what's missing right now. 

Liz Ramey (11:45)

Great, I'd love to just ask one more follow-up and just curious, are there other technologies or practices in the past that maybe the government and private sector have worked together in order to improve, such as, of course, cybersecurity. But are there other technologies in the space that you've seen this done well? 

Deborah Wheeler (12:09)

So, I'm told because it took place, I think, a little bit before my time, but the government had conversations with the electronics industry years and years ago to arrive at a certification for electronic devices, the UL certification, or that whole program to ensure that electronic devices being put into the hands of consumers were safe for them to use. So, there's been that partnership before and that agreement for the benefit of all of us as consumers. And that type of partnership is something I'd like to see as we move forward on this particular topic. 

You had asked, what's the risk if there's no action? Well, I think the risk is going to be catastrophic. And we're seeing hints of that when we look at the breaches that have happened even in the last two years, and there have been some very large cybersecurity incidents that have occurred in the pipeline industry and in the software industry that should be wakeup calls for all of us as to what potentially could happen if we don't take this threat seriously and work collaboratively on the solutions. 

Collin Lingo (13:25)

You know, I'm interested to know, Debbie, if there's a country or region that is doing this partnership well in a productive way? 

Deborah Wheeler (13:35)

Yeah, so we had the opportunity a couple of years ago to work with the UK on a particular incident, and I was impressed with how collaborative that particular government entity was working with us directly -- and even with the partner organization we were working with. How collaborative that relationship was and how much information was shared between the entities. And that's not something that I have experienced here, but it is an experience that I have used to inform government entities and a Senate subcommittee on the topic to try and help them understand what's lacking. 

Liz Ramey (14:20)

Speaking of something that is kind of lacking, just getting into kind of skills needed within the cybersecurity space. It seems like there needs to be a collective way to approach this problem, this growing problem. We've discussed in a couple of questions before. We briefly discussed the shortage of cyber talent, which is even more dire within the government. So, what sort of partnerships do you think are important to help the talent pool, to build that pool for both private and public sector? 

Deborah Wheeler (15:00)

So, I was encouraged to see the Biden Administration announcement -- I think it's been a little over a week now -- about trying to create programs to encourage people to study cybersecurity and other organizations that are getting involved now to try and make training available and certifications available. I think it's awareness, right? I think the biggest driver for increasing talent in cybersecurity is making kids aware from young ages all the way through high school and into college about what careers in cybersecurity can look like. 

As a company, we've done things like create Shadow Days, where we've allowed high school students who happened to be sons, daughters, nieces, nephews and friends of our current employee base to come in and spend a day working alongside my team so that they can see what a career in cybersecurity would look like. We've partnered very closely with a high school here in the Atlanta area as part of their work study program. Again, in an effort to give high school students the opportunity to see up close what a career in cybersecurity could look like. And I think that's really one of the things we have to do collectively as a nation is be able to give kids visibility into what computer technology careers look like, cybersecurity specifically, so we can help them understand what they can achieve, what's available to them, and what they need to know. Because a lot of times I think we are left with the impression that a four-year degree is the only way you can enter this particular industry or this particular space. And that's just not true. 

You know, I went to college, and at the time there was nothing around cybersecurity. It was not a major; it wasn't anything you could major in. And most of what I learned, I had to learn on the job. So, I think for a lot of people that are curious about cybersecurity, one of the first questions or one of the first hurdles they need to overcome is this onerous requirement from an education perspective. I’ll never say that a four-year degree isn’t valuable. It is, but a four-year degree in cyber is not necessary. And I think there are lots of paths people can traverse to get into cybersecurity that add tremendous value to the field. And I've seen that time and time again with people we've hired in our program who come to us with very diverse backgrounds. But one thing in common, they're really good problem solvers, and they're self-motivated. And I think if you've got those two characteristics, you can pretty much learn anything. 

Collin Lingo (17:51)

So, once they're there in cybersecurity, you know, and then maybe they make it, maybe they make it up to CISO one day, right. What sort of internal partnerships can they build that will get them closer to that government connection and the solution that we're talking about here? 

Deborah Wheeler (18:09)

So, two of the most beneficial partnerships for me and for my team inside of Delta have been the partnership we have with our physical security team and the partnership we have with our legal department, which includes our government affairs office. So, between those two groups, we are informed about the ways in which the airline is working with government across a multitude of industry partnerships and in conversations that may be occurring directly between our government affairs folks and people in government. But we also have this ability to and engagement with other divisions in Delta that are working with those government entities from a different angle, has nothing to do with cybersecurity. But the relationship can inform how we approach those same entities when it comes to cybersecurity concerns. So those partnerships internally are valuable for us to understand the ways in which we can, from a cyber perspective, work with government entities where we already have established relationships with those entities on other topics. And working with those other entities also gives us opportunity to inform them on the challenges we have in cybersecurity and the challenges we have working with some of those government entities due to the lack of understanding or knowledge about cyber. 

Collin Lingo (19:38)

Right, so there's a knowledge gap. We've talked about that. There's a talent gap, a best practices gap. Are there other gaps between the public and private sectors that we have to address right now with this same urgency? 

Deborah Wheeler (19:53)

Oh, wow. There's so many. I think, you know, it all starts with conversation. You've got to be able to start having conversations, whether that's with your local congressional office, your local senator’s office, just starting to have some conversations and getting the concerns raised. I think obviously my lens is going to be tilted toward cybersecurity and how we can increase the flow of information specific to this critical infrastructure sector that I happen to work in with the relevant government regulatory entities, as well as just being able to share with them the knowledge and the skills and experience that myself and members of my team have acquired to help educate -- where we are invited to -- those same government entities and regulatory and oversight bodies. Our goal at the end of the day is to ensure that the entities that are governing us on the topic of cybersecurity are as educated and informed about this particular space as they can be. Because if we can achieve that, then the regulations that come through those entities should be informed regulations and should be able to help us advance the state of our cyber practices. And that's our goal. 

Liz Ramey (21:22)

I love that view, Debbie… just you saying that, you know, that the entities that are governing us, it's our responsibility that they are the most educated and knowledgeable as they can be. And we could probably use that kind of language or view for so many different things going on in society today. Thank you for that. This has been such an interesting conversation. I feel like Collin and I could ask so many more questions. 

I do have a question from my former guest I spoke with just recently, Moin Haque, who is the chief data officer at Warner Music Group. And in every episode, we ask our last guest to pose a question to our next guest. And he was asking, ‘what is culture or identity from a brand perspective mean today and in the future, especially as we move into a more increasingly hybrid world where the physical definition of space and time is reset with more virtual and ephemeral dimensions.’ You know, what does that kind of culture mean to the enterprise? 

Deborah Wheeler (22:43)

It's an interesting question. I'm not quite sure that I fully understand what he's asking. But let me take a swing here at trying to answer. I think that culture and brand transcends space and time. Culture speaks to who you are. And brand is what you offer. How you offer. And I think relative to us as an airline, our culture is what enables the services we offer that people know us by, which is the brand. 

How does that change in an environment that's going through all of these digital shifts that we're going through? I think at the end of the day, your culture and your brand are how you're known, right. It's how we internally operate, interact with each other to deliver a set of services that our customers want to come back and experience. Which just happens to be our brand. I don't think it has a dependency on this time space continuum. I think it's independent of that. I'm not sure if that answers the question, but that's kind of how I viewed it. 

Liz Ramey (24:17)

Yeah. Yeah. Well, we'll have to, you know, once the metaverse gets to be super big and popular, then we'll have to kind of come back to that question, right? 

Deborah Wheeler (24:30)

Yeah. Well, maybe that's my big question, right. What's the relevance of the metaverse in our future? 

Liz Ramey (24:38)

That's right. And actually, you know, that could be your next question. I love asking, you know, as a C-level executive, so take yourself out of the security space. Just as a C-level executive, as a leader of an enterprise, what's the next big question that we should be trying to tackle? 

Deborah Wheeler (24:58)

There are so many, so many alligators close to the boat that we should be trying to tackle. But I guess if you're looking for a big question, I'd go back to what I just said, because I hear -- It's funny, I was in an Uber a couple of months ago coming back from a meeting and the Uber driver was asking me about the metaverse. 

Liz Ramey (25:19)

Oh, my goodness. 

Deborah Wheeler (25:21)

Well, I found it just a really, really odd conversation to have. But I guess more importantly, what do we think the relevance of the metaverse is going to be in our society going forward? I personally cannot see a relevance, but, you know, I'm getting older, and maybe it's just it's going to be something that's significant for a younger generation. But I'd like to know what people think. 

Liz Ramey (25:49)

Yeah, it's a great question. And my reality and understanding of that future versus my ten year old son's reality and kind of view of that are so different already. And so that's you know, and I see him as, you know, being a great leader in the future. And so it's a very relevant and interesting question that hopefully we can get ahead of and answer soon. Deborah, thank you so much for being our guest and providing such great insights. It was a really nice, joyful conversation to have with you. Thank you. 

Deborah Wheeler (26:32)

Thank you, Liz. It was a pleasure speaking with you today, and I appreciate you having me on the show. 

Liz Ramey (26:38)

Thank you, again, for listening to The Next Big Question. If you enjoyed this episode, please subscribe to the show on Apple Podcasts, Spotify, Stitcher, or wherever you listen. Rate and review the show, so that we can continue to grow and improve. You can also visit Evanta.com to explore more content and learn about how your peers are tackling questions and challenges every day. Connect, learn, and grow with Evanta, a Gartner Company.