Deneen DeFiore is a Hall of Fame technology executive who currently serves as vice president and chief information security officer at United Airlines, where she leads the cybersecurity and digital risk organization to ensure the company is prepared to prevent, detect, and respond to evolving cyber threats. She also leads initiatives on commercial aviation cyber safety risk and improving cyber resilience across the global aviation ecosystem.\n\nWhen we spoke for a recent episode of the Tech Whisperers podcast, DeFiore covered a lot of ground, delving into the complexities of the CISO role, the tricky balancing act required to manage the day-to-day, and the leadership skills it takes to be successful in this profession. Afterwards, we spent some more time focused specifically on her communication playbook and how she shapes the narrative around cyber and its value to the business. What follows is that conversation, edited for length and clarity.Dan Roberts: Why is it important for CISOs to be intentional about \u2018telling the story\u2019? If two cyber organizations are delivering the same value to their companies, but one is good at telling the story and the other is not, what difference does it make?\n\nDeneen DeFiore: There\u2019s definitely value in having the ability to tell the story that\u2019s connected to the business outcomes around what you\u2019re trying to do to manage risk. If you have two organizations that are protecting the company and doing what they need to do, the one that\u2019s not able to tell the story is operating at almost a technical level. They\u2019re doing good things and driving good outcomes, but if they\u2019re not able to connect the dots with the business outcomes, they\u2019re going to stay at that level of entitlement. It\u2019s going to be harder for them to say, \u2018We need to do XYZ,\u2019 because it\u2019s going to be linked to \u2018what cyber security needs to do.\u2019\n\nOn the other hand, if you\u2019re creating a value story, such as, \u2018We need to go to a more seamless experience for our customers to access our systems,\u2019 then you can talk about a new customer identity platform and moving to a password list and how that\u2019s going to create great customer experiences. You\u2019re going to start adding value at a different level and expanding your scope, as well as moving up the value chain for that organization.\n\nYou can be the best technologist with the best execution to the standards that you\u2019ve set, but if no one understands them or understands the importance and why it matters, you\u2019re going to stay there, as opposed to that storytelling organization, which is going to continue to grow and evolve at a much different rate and level.\n\nIn the podcast we talked about the plethora of stakeholders you serve both inside and outside the company. Some might have shared interests but different ideas of how to get there. Others might have competing interests. How do you deal with this when it comes to communicating and messaging?\n\nThere\u2019s always going to be competing priorities between one organization and another or differences of opinions on how to get there. What I try to do, again, is focus on the outcomes, because if you\u2019re aligned on the outcome, then you can really start to unpack what the issues are around the disconnects. So: If we do this, we\u2019re going to get here. If we do that, we\u2019re probably going to miss. And we all want to be here, right? That\u2019s kind of the way I do it. It\u2019s focusing on what problem we\u2019re trying to solve, creating those shared needs and goals, and getting everybody to understand what the end state is, versus the details of how you\u2019re going to get there.\n\nI also make sure that I\u2019m the facilitator and orchestrator, but it\u2019s not my idea. It\u2019s about getting the people that are not on the same page or may have disconnects in priorities to come up with the solution. I think that\u2019s the key to success as well.From industry regulations and TSA directives to SEC and cyber regulations, how do you provide clarity in this sea of complexity?\n\nYou have to make sure that you\u2019re speaking in a language and terms that people understand, even if you\u2019re trying to talk about complex regulations. I don\u2019t, in normal day-to-day life, talk like a policy document. And I think sometimes when we\u2019re trying to explain that the TSA has this new LSP or something, we just spit these acronyms and technology terms out. It\u2019s really important to make sure that you are paying attention to your tone of voice and word choices. Use common language so you can explain what is happening, why it\u2019s happening, and what we\u2019re going to do about it.\n\nBecause if you think about the complexities around the way an event or attack happened or a really complex TSA regulation, no one wants you to regurgitate the low-level details or the policy documents. They want to understand, in summary, what is it? What are we doing about it? Are there like any risks or issues that we need to be concerned about?\n\nThe CISOs we surveyed for our CyberLX leadership program told us that one of their big priorities is building leadership skills with a focus on EQ [emotional intelligence], influencing skills, and communication skills. How do you instill that kind of marketing mindset in your leaders and develop these communication muscles in your people?\n\nI don\u2019t like to have meetings before meetings and all that kind of stuff, but for those important presentations or important meetings or discussions where you\u2019re really trying to get people on board, or you need any kind of commitment from someone, I have a preview with my team. We go through the slide deck or the key messages, and I kind of play devil\u2019s advocate and ask, \u2018Well, why do I care about that?\u2019 We practice that way, and after we do that a while, they get that and they can do it and we don\u2019t have to have the meeting before the meeting anymore.\n\nCommunication is developing that muscle memory as well. There\u2019s always a question you\u2019re trying to answer. There are certain elements of communication where it\u2019s the same components and you have keep that in mind and just know how to do it. So practice is really important.\n\nHow do you define the value cybersecurity creates for the business?\n\nI think value can be defined in a couple of ways. It\u2019s making sure that you\u2019re meeting those key responsibilities that you have as a cybersecurity leader \u2014 there\u2019s no significant data loss, no downtime or operational disruption associated with a cyber event.\n\nThere are those types of things, but there\u2019s also things around, how do you enable the business to do something that they couldn\u2019t do because you\u2019re removing that risk or mitigating that risk, or you\u2019re breaking down a perceived barrier that was there so you can go operate in a market that you weren\u2019t able to before because you have a secure architecture. Or you can collaborate or share data in a manner that\u2019s trusted that you weren\u2019t able to do before. That creates value from a business outcome standpoint.\n\nYou have to think about defining value not only in terms of what you\u2019re doing from a cyber perspective, but also what you\u2019re enabling your organization to do from a customer or shareholder value as well.\n\nWhat are the metrics you focus on?\n\nThis is evolving and I\u2019m still working on it with my team, but the operational side of metrics are around the policies and standards that we\u2019re setting, how well are we covering those within the technology services, and then how well are they performing. So it\u2019s a coverage and an effectiveness type of type of view of metrics.\n\nOf course, we want all the external endpoints behind our web application firewall, that coverage metric, but then how many threats are we actually blocking? What are they? And then are they in the application security standard? And why are people still using broken authentication or improper session management or whatever it is \u2014 we\u2019re trying to close the loop there and make sure we\u2019re not just saying we\u2019re good because we have a policy, but is it working effectively? And then where it\u2019s not, understanding where our gaps are. It\u2019s that continuous loop. We try to pull that baseline of metrics and KPIs around core capabilities within our cyber program.\n\nIt\u2019s probably not a metric you track, but I have to imagine that once you do a good job with the narrative, you\u2019re seen as a strategic partner and start getting invited to the first meeting instead of the fifth meeting.\n\nDefinitely. I love it when somebody else is connecting the dots, when they come to me and say, \u2018I think we should be thinking about this.\u2019 That\u2019s my measure of success. I\u2019ve done my job.\n\nFor more insights from DeFiore on the leadership skills required to be a successful cybersecurity leader, tune in to the Tech Whisperers podcast.