CISO Series Podcast – Episode Summary
Episode Title: Our Developers’ New Motto is “LLM Take the Wheel”
Date: February 4, 2025
Host(s): David Spark, Andy Ellis
Guest: Deneen DeFiore, VP CISO, United Airlines
Sponsor: Entro Security
Brief Overview
This episode of the CISO Series Podcast centers on bridging gaps between CISOs and executive leadership on cyber risk, navigating the impact of generative AI and LLMs on development and security risk, ethical challenges in cybersecurity training and hiring, and the shifting landscape of cyber insurance. With first-hand experiences from Deneen DeFiore of United Airlines, the panel delivers practical insights for security leaders, discusses industry reports, and tackles tough "what’s worse" scenarios.
Key Discussion Points and Insights
1. The CISO's Public Perception & Industry Feedback
- Deneen’s Experiences: Deneen DeFiore shares how working for a well-known brand like United Airlines invites both positive and negative customer feedback, both in professional and social settings.
- Quote (B, 01:43):
"People seek me out for that. Not only people I know. People I don't know on LinkedIn and Twitter or X, whatever it's called now, they find me and talk to me about it as well, too. But always open to feedback and happy to help." - Notable Moment (D, 03:17):
Andy reminisces about engaging with United using a stuffed animal mascot, highlighting how company culture shines in unexpected contexts.
2. Cyber Resilience Alignment: The CISO-CEO Gap
(04:05 – 10:09)
- PwC Report Findings:
- Only 2% of surveyed organizations have full cyber resilience across domains.
- <50% of CISOs are involved in strategic planning.
- Only 15% of CEOs measure the financial impact of cyber risk.
- Host Reactions:
- Andy questions the realism of expecting organizations to achieve blanket cyber resilience, cautioning against "snake oil" risk quantification.
- Quote (D, 06:04):
"Cyber risk quantification is snake oil... If you're trying to do quantification with unacceptable losses, you've already missed the boat."
- Quote (D, 06:04):
- Andy questions the realism of expecting organizations to achieve blanket cyber resilience, cautioning against "snake oil" risk quantification.
- Deneen’s Approach:
She stresses aligning CISOs with business leadership, advocating for security’s role as an enabler, not just a defender.- Quote (B, 07:21):
"We have to advocate for our roles, that we're enablers of digital trust, not just defenders of threats." - Tactical Advice (B, 08:40):
"You need to be in the operating rhythms that your operations and your business leaders are. You can't be separate than that... it's the operational pieces that really make the difference." - Shift in Table Stakes:
Data protection is now expected; what matters is operational continuity and enabling business outcomes.
- Quote (B, 07:21):
3. The Risks of AI and LLM Tools in Development
(10:09 – 13:16)
- Key Risk: Productivity tools (e.g., GitHub Copilot) can increase output but may propagate poor code when used by inexperienced developers.
- Abstraction Dangers (D, 11:11):
Andy draws from Joel Spolsky’s "Law of Leaky Abstractions," likening AI-generated code to living in a penthouse with no knowledge of what supports it underneath.- Quote:
"When you lose that understanding of the knowledge of complexity of what's going on underneath, you sort of don't have the ability to reason about what's happening."
- Quote:
- Deneen’s Perspective (B, 12:34):
"Managing the downstream risks of those outputs... requires a shift in mindset. Not viewing AI as a black box, but treating it to that system whose outputs need rigor, testing, governance, all that kind of stuff."
4. Culture, Mental Health, and Insider Threats: A “What’s Worse” Scenario
(14:50 – 21:20)
- Scenario One: An employee’s mental exhaustion leads to payroll theft by a threat actor.
- Scenario Two: An employee, under sextortion, installs malware, facilitating potential IP theft.
- Panel Choices:
- Both Andy and Deneen agree scenario two is worse for both human and business impact.
- Cultural Note (D, 17:50):
"If a human who's frazzled can leave a breach open, that means our system's failed. Not the human." - Deneen (B, 20:16):
"If you lose money, you can get that back... If you're talking about the second situation, there's a bunch of dimensions there... potential malware, your IP is potentially gone... That is harder to recover from."
5. Cybersecurity Training and Hiring: Overpromises and Real Paths
(21:25 – 28:51)
- The Issue: Candidates are misled by expensive, quick-fix certifications into thinking they’ll land lucrative jobs easily.
- Deneen’s Analysis (B, 22:59):
- The problem is not unique to cybersecurity, but amplified by the industry’s urgency, specialization, and the “mystique” promoted by aggressive marketing.
- Innovate Program at United: United’s in-house training enables career transitions from within — e.g., gate agents or ramp personnel to cybersecurity roles — emphasizing practical experience over certifications.
- Quote (B, 24:26): "While certifications are a good way to get an understanding of the basics and the concepts, really the practical experience is really what matters."
- Andy’s Take (D, 26:04):
- He distinguishes “insertion-level” from entry-level roles, arguing many cyber jobs require transferable business and tech skills.
- Skepticism towards the ROI of costly bootcamps, noting that some even encourage graduates to label participation as “internship experience.”
- Critiques purely academic models that lack real-world job context.
6. Is Cyber Insurance Feasible for SMBs?
(28:51 – 34:43)
- Rising Premiums: Cyber insurance for SMBs is becoming cost-prohibitive and administratively burdensome due to in-depth scrutiny and compliance expectations (e.g., mandatory MFA).
- Deneen’s View (B, 30:04):
- Complexity and resource requirements of obtaining insurance are unattainable for SMBs, and coverage gaps remain for all sizes.
- The aftermath of an incident (legal, regulatory, reputation) extends far beyond what insurance can address.
- Quote:
"I just don't think the model is feasible for small medium sized businesses at this point."
- Andy’s View (D, 32:21):
- Insurance is not built on robust data; recent premium spikes correlate with increased reporting, not risk stabilization.
- For SMBs, resilience is more about business survivability than insurance payouts, as even minor downtime can be fatal.
- Upside for SMBs: Skipping the “administrative minutiae” could focus their efforts on practical hygiene (MFA, baseline controls), but meaningful systemic change is still lacking.
Notable Quotes & Memorable Moments
- Andy Ellis (Risk Quantification, 06:04):
"Cyber risk quantification is snake oil... If you're trying to do quantification with unacceptable losses, you've already missed the boat." - Deneen DeFiore (Operational Cybersecurity, 08:40):
"You need to be in the operating rhythms that your operations and your business leaders are. You can't be separate than that." - Andy Ellis (AI Abstraction, 11:11):
"You're basically living in the penthouse apartment, but you have no idea what the I beams are that are supporting you." - Deneen DeFiore (Hiring, 24:26):
"Really the practical experience is really what matters."
Timestamps for Important Segments
- CISO-CEO Alignment and Cyber Resilience: 04:05 – 10:09
- AI & LLM Risks in Coding: 10:09 – 13:16
- “What’s Worse” Insider Threat Scenario: 14:50 – 21:20
- Cybersecurity Hiring Pathways & Bootcamp Reality Check: 21:25 – 28:51
- Cyber Insurance Feasibility for SMBs: 28:51 – 34:43
Episode Tone and Language
The conversation is candid, humorous, and packed with practical wisdom. Andy brings sharp skepticism and playful jabs, while Deneen is constructive, optimistic, and solution-oriented. David Spark keeps the discussion fast-paced and grounded in real-world stakes.
Useful Takeaways for Listeners
- Align cybersecurity goals with business outcomes by embedding security leadership in daily operational rhythms.
- Be wary of promises around risk quantification and quick cyber resilience wins.
- Treat AI-generated code with the same scrutiny and testing as human-authored code; don’t let LLMs be a black box.
- For security career aspirants: prioritize gaining hands-on experience; certifications alone are not enough.
- SMBs should focus on practical cyber hygiene; the insurance market may not be accessible or effective for them.
Closing
- United Airlines is hiring in cybersecurity and related fields, with over 100 open positions (35:37).
- Final practical advice: A United logo photo might improve your LinkedIn approach to Deneen—combining it with a CISO Series tag is “even better” (36:04).
For more episodes and ways to participate: cisoseries.com