Key Takeaways
- Devon Bryan began as a network‑security engineer in the Air Force and built a technical foundation that gave him credibility but left gaps in business judgement, storytelling, and influence.
- The travel industry’s tightly woven ecosystem of identity, payments, loyalty programs, and third‑party integrations amplifies risk; a breach in one area can ripple across customers, partners, and operations.
- Generative AI has expanded threat modeling beyond infrastructure to include prompt injection, model access, synthetic identity, and shadow‑AI adoption, while also becoming a powerful defensive tool.
- Effective CSOs decide where to engage based on trust, resilience, regulatory exposure, and systemic business impact, avoiding the trap of becoming a perpetual veto function.
- Judgement— the ability to translate technical signals into sound business decisions under ambiguity— is the most undervalued skill in developing the next generation of security leaders.
Background and Career Path
Devon Bryan’s security journey started in the U.S. Air Force as a network‑security engineer, where the focus was operational: understanding the network, the mission, the adversary, and keeping systems running under pressure. After his military service, he moved through financial services, consulting, critical infrastructure, hospitality, and now serves as the Senior Vice President and Global Chief Security Officer at Booking Holdings. Each sector exposed him to distinct risk environments and operating models, broadening his perspective beyond pure technical execution.
Technical Foundation vs Business Judgement
The early technical grounding gave Bryan credibility in comprehending how systems work, how attacks evolve, and how operational failures cascade through complex environments. However, he quickly realized the biggest gap was learning to think beyond the “technically correct” answer and instead navigate the tension between security, business growth, customer experience, resilience, regulatory expectations, and speed of execution. Early in his career he underestimated the importance of storytelling, influence, and organizational dynamics—skills that become essential at senior levels where leaders are judged on their ability to help the business make durable decisions amid uncertainty.
Travel Industry’s Unique Risk Landscape
Booking Holdings operates at the intersection of financial data, identity documents, loyalty point economies, and geopolitical targets, making it an attractive target for threat actors. What keeps Bryan awake at night is not any single asset but the sheer interconnectedness of the ecosystem. Travel brings together identity, payments, loyalty ecosystems, third‑party integrations, global operations, and geopolitical considerations at massive scale, so a disruption in one area can generate downstream operational, financial, and reputational impacts across customers, partners, and employees.
Interconnected Ecosystem and Attack Surface
Having worked across banking, hospitality, and travel technology, Bryan observes that attackers increasingly target trust relationships and operational dependencies rather than isolated systems. The modern attack surface includes vendors, APIs, cloud environments, partner ecosystems, and, increasingly, AI‑enabled workflows. Because the risk propagates quickly, resilience matters as much as prevention. Booking Holdings emphasizes layered defenses, continuous monitoring, strong identity controls, and operational readiness, recognizing that rapid detection, response, and recovery are critical in a globally interconnected business.
Impact of Generative AI on Threat Modeling
Over the past 18 months, generative AI has fundamentally altered the threat landscape by increasing the speed, scale, accessibility, and sophistication of attacks. Skills that once required specialized expertise can now be deployed convincingly and at high volume, leading to more personalized, multilingual, and scalable phishing, impersonation, fraud, and social‑engineering campaigns. Consequently, Bryan’s threat modeling now extends far beyond traditional infrastructure and application security to encompass identity integrity, AI‑generated content, machine‑to‑machine trust, model access, prompt injection, data lineage, third‑party AI dependencies, and the rising risk of shadow‑AI adoption across the enterprise.
AI as Both Threat and Defensive Enabler
While AI amplifies offensive capabilities, it also serves as a vital defensive asset. Booking Holdings leverages AI to improve threat detection, prioritize vulnerabilities, enhance fraud analytics, and boost operational efficiency within security workflows. Bryan stresses that AI is a force multiplier for both attackers and defenders, necessitating an approach that balances optimism with disciplined governance, clear usage policies, and continuous monitoring of AI‑related risks.
When Security Should Engage in Business Decisions
Security is now inevitably woven into major business conversations—M&A diligence, AI adoption, product strategy, resilience planning, regulatory discussions, and geopolitical risk management. Bryan’s decision framework for planting the flag hinges on four criteria: trust, resilience, regulatory exposure, and systemic business impact. If a decision could materially affect customer trust, operational continuity, enterprise risk posture, or the ability to scale securely, security must have a strong voice early in the process. At the same time, he cautions against operating as a perpetual veto; instead, the goal is to set clear standards, accountability models, escalation paths, and guardrails that enable teams to move quickly within an acceptable risk framework.
Balancing Influence and Avoiding Overreach
Maturity in security leadership often lies in knowing where not to over‑rotate. Inserting security too deeply into every operational decision creates friction and dependency, slowing the business. The most effective security organizations act as enablers, providing confident decision‑making rather than roadblocks. By establishing guardrails and empowering business units to own risk within defined limits, CSOs can maintain influence while preserving agility and innovation.
Critical Skills for Future Security Leaders
Looking ahead, Bryan identifies judgement as the most undervalued skill in hiring and developing cybersecurity talent. Technical expertise remains important, but the ability to convert technical signals into sound business decisions under pressure and ambiguity separates strong operators from future enterprise leaders. Judgement also manifests in communication: translating complex risk into clear narratives for engineering, legal, finance, operations, and the boardroom. Emerging leaders must cultivate curiosity, adaptability, composure under pressure, and the willingness to operate outside their technical comfort zones to navigate AI, geopolitical instability, regulatory expansion, supply‑chain complexity, and increasingly autonomous systems.
Conclusion
Devon Bryan’s career illustrates the evolution from a purely technical security engineer to a strategic enterprise leader who balances risk with business enablement. His insights underscore that modern CSOs must master ecosystem‑wide risk thinking, harness AI responsibly, exercise judicious influence, and nurture the next generation of leaders who combine technical depth with strong business judgement. In an era where trust, resilience, and speed are paramount, such a blend is essential for safeguarding the interconnected worlds of travel, finance, and technology.