Gunnar Assmy - Fotolia
From Word to wings: Deborah Wheeler took on a new set of challenges in February when she accepted the role of CISO at Delta Air Lines Inc. The Atlanta-based carrier is the oldest airline operating in the United States. It grew from its agricultural roots, crop dusting, to providing international cargo and passenger services, with more than 5,000 flights daily across its own and affiliate operations. Part of IT leadership at Delta, Wheeler reports to the CIO and is tasked with securing sensitive information for the global carrier and millions of passengers.
Delta's longevity in a turbulent industry has required a willingness to embrace technology advances and swift recovery from IT glitches, such as widespread computer outages. Starting this summer, the airline is rolling out a pilot test of facial recognition technology -- algorithms match facial images to priority customers' passports -- at the Minneapolis-St. Paul International Airport, to speed up self-service baggage drops. JetBlue Airways is fielding a similar pilot program for flights to the Caribbean departing from Boston's Logan International Airport.
Information Security magazine caught up with Wheeler to find out more about her new role of CISO at Delta and unique challenges in the travel industry. Prior to Delta, Wheeler spent 20 years honing her security skills in financial services. She previously served in the role of CISO at Freddie Mac, Ally Financial and Fifth Third Bank. She also performed information security leadership roles at JPMorgan Chase and PNC Bank. Wheeler holds both CISSP and CRISC certifications and is a graduate of the University of Colorado with a degree in information systems management. A systems engineer early in her career, Wheeler said a simple request to "look into viruses" sparked her transition to information security.
You have been involved with the information security field for many years. What was it like when you started?
Deborah Wheeler: I actually started in the security field in 1994. At the time, we were learning about a virus that infected Word documents; it would drop letters to the bottom of the screen. We thought it was the end of the world! We also had Lotus Notes spreadsheets where the cells wouldn't calculate properly, so my initial exposure to information security was obviously different from today.
Deborah WheelerCISO, Delta Air Lines
What I think is interesting is that we could have been further along with security if we had given more credence to what people were warning [us] about 20 to 30 years ago; as a species, we tend to be shortsighted. Back then, people had trouble thinking about cyberwarfare: What could it mean -- was it war without bloodshed? People couldn't imagine that everything in our world would be run by computers.
How did you end up in information security?
Wheeler: It kind of just happened. I was working as a systems engineer and my boss asked me to look into viruses. That was my first project in the security field. From there, I went into access management, scanning systems and removing unused accounts. Those were the concerns in the early days of security.
I then went to Allegheny Health and Research in Pittsburgh -- the parent of Allegheny General Hospital and of other hospitals in the state -- as a network security manager and the security lead in implementing our firewall and our first multifactor authentication system. We implemented that statewide. Then I went to PNC Bank for security. They were just starting online banking at that point.
What is your focus at Delta?
Wheeler: My biggest worry is not just the financial information we are protecting; it is the highly confidential information about customers that could be misused or lead to harm or death. We are moving unaccompanied minors, and we have high-profile clients moving around the country sometimes booking weeks or months in advance. So part of my job is to think of all the bad ways data could be used and to make sure information access is limited to those that need to know. It can be a lot of sleepless nights, and in the daytime I try to be proactive and make sure those nightmares don't become realities.
Do you engage with others in the role of CISO or share your expertise?
Wheeler: I don't enjoy doing a lot of public speaking, and because my job is so demanding, there isn't really a lot of time to engage in networking.
I have been in the information security field a long time, and there aren't many others who have been in the field for as long. However, there are always people who have lived through certain kinds of breaches who are great sources of information, especially when you can focus on what they learned or what didn't go well.
As you take on the role of CISO at Delta, what are your biggest priorities?
Wheeler: End users and education: Those are the first line of defense. We need to get people's heads out of the sand for security and help users understand the role they play in keeping credentials safe, beyond phishing. Access management is another [priority]. If we don't get that right, nothing else matters. I frequently [get on a] soapbox about those topics.
Beyond that, I'm hopeful that Delta will be the last company I need to work for because I'm enjoying my time there and hoping to make a difference in aviation. And then I hope to retire!
How to map data flow to track sensitive data
Increased opportunities as security leadership skills grow
CISO job shifts toward more responsibilities
Dig Deeper on Security industry certifications
Why a CISO-CIO reporting structure undermines security
McAfee warns of serious security flaw in building controller
Ask the expert: The value of diversity in cybersecurity staffing
Government, business cybersecurity cooperation still faces roadblocks