This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

UnHack (the Podcast): Creating Security Ambassadors and AI Ethics with Chase Franzen

Introduction

Hi, I'm Drex DeFord, a recovering CIO from several large health systems and a longtime cyber advisor and strategist for some of the world's most innovative security companies. And now I'm president of This Week Health's 229 Cyber and Risk Community. And this is Unhack the Podcast, a mostly plain English, mostly non technical show about cybersecurity, and RISC, and the people in process and technology making healthcare more secure.

And now this episode of Unhack the Podcast.

Drex DeFord: Hey everyone, I'm Drex, sits on Hacked the podcast lucky enough today to have Chase with me on the show. Hey, chase.

Chase Franzen: Hey, Drex, how's it going? Happy to be here. Looking forward to the discussion.

Drex DeFord: I think it'll be fun.

Chase Franzen: I think if you would've asked me, I would've said that I wanted to be a fighter pilot. In the Air Force. I do now fly airplanes. So I've been lucky enough to pursue some of that. But I never did get into the Air Force. I grew up I like to think that I spent most of my formative years trying to, escape technology and not be an IT nerd only to over time realize that, man, I'm an IT nerd. Like I love this stuff. And I would say that was most of my background is what were you

Drex DeFord: trying to escape? What was the escape part?

And I like to break stuff and put it back together. And was kind of, forced to do the it thing out of kind of just not having much else to do on this tiny island. Ended up moving off of the island and I, wanted to go into college for business marketing, wanted to do kind of a suit and tie thing and then.

Kept coming back to it because that's what I was good at. I'm a tinker. I again, like to break things, like to put things back together, have a weird varied background from there. I like to. Joke that I have career and hobby ADD. So I've done things like I was in real estate and had a general contractor's license.

So kind of other things outside of tech. But really the passion and the desire to really be a nerd has come back and back. And so here I am. This is the calling. I don't think I'll ever be able to leave technology no matter how much I might like to you

Drex DeFord: you didn't start in healthcare though. Your background No. Around security started in other industries.

Chase Franzen: Yeah that's absolutely right. So, I went to school for economics, political science thought I wanted to be an attorney changed directions, went and got an MBA in finance.

Drex DeFord: Yeah, that might be the understatement of the whole

Chase Franzen: interview.

Drex DeFord: Yeah, for sure,

Chase Franzen: for sure.

Drex DeFord: There's a bunch of stuff I wanna ask you about. Some of it is probably obligatory stuff that I'm gonna ask you about. becuase if we don't talk about people say, how did you not talk about that? Well, let's start with I know October is still a ways away sort of cyber cybersecurity awareness month, but.

I know that you have some really cool stuff going on with cybersecurity awareness. Tell me that story. Shauna Hofer at St. Luke's in Boise is like, you should ask him this question, so we'll start there.

Chase Franzen: Well, that's awesome. And thank you Shauna for throwing that out there. Shauna and I have talked a lot about this and she's one of my best friends in the healthcare cybersecurity world, so really appreciate the amazing community, that we have in the healthcare cyber world.

It's not just October that we should be caring about cyber awareness, right? This is a year long activity. I'll say the first thing that I think is important from a cyber awareness perspective is. That it should be fun. All too often I think cyber departments are viewed you run into, somebody in an elevator, in a hallway and they find out, oh, you work in cybersecurity. And inevitably they go, oh, you guys are the ones that send me the phishing emails. Right. And I think all too long we've kind of, we've laughed about that as you know, as cyber practitioners, but. That's not what they should be saying, right? That's one like itty bitty tiny piece of what we do.

He comes from a very interesting background. So we talked about my background. He's an even kind of more interesting background. He's a shrink. right So he is a marriage and family therapist. We brought him in with the idea of at the end of the day. The content cybersecurity can be taught we can teach you anybody about cyber safe practices.

We're not trying to shove, cyber nerdy technology, words and concepts down people's throats. Yeah. We are meeting folks where they're at. So targeted training. One of the things that we do really well in anticipation for October coming up here. We have quarried leaders around the systems.

And we've gotten phenomenal responses about that because not only do we ask, but then we actually do it. We're not coming to these teams with just the same crap that we've regurgitated a million times. Right. Here's the stock PowerPoint

Drex DeFord: deck. I'm gonna tell you this. Yeah exactly. You heard last year at this time.

Yeah. This's great.

Chase Franzen: Yeah. We'll come and we'll talk about kind of what they've seen, what they've done the fears that they have and tailor it to them. Secondly we have a really successful cyber ambassador program. So we're in our second full year of this, our second cohort.

That they can then go, was that

Drex DeFord: in person or did you do this virtually? How did you.

Chase Franzen: It was hybrid. So we did some in person and some virtually. And they would come in and they would learn things that were interesting primarily that would then start conversations. So for example, we had one of our security analysts that showed how lock picking works.

And as you might imagine, people are like, oh my God, this is crazy. We did a. How a cyber attacker does osint, right? How they do open source intelligence and then crafts a phishing email to include how do people spoof email addresses. We did one around deepfake, so these concepts where. From a non-technical perspective, we kind of pull back the curtain.

And so that's been super, super successful this year. Our cyber ambassador program is even bigger because the folks that were part of it last year said, this is one of the most fun things that I did in my month. And it's also really interesting and we learn a lot of really great stuff. And so just that kind of, viral nature of people talking about it has been really successful for us.

And then maybe well, lemme ask you a question. Yeah.

Drex DeFord: So you, so you've got 400 cyber ambassadors.

Chase Franzen: That was last year. I don't know, I don't know what we have however many year,

Drex DeFord: right? This is good. This is a good problem to have.

Chase Franzen: That's spot on, so, okay.

Got it. Got

Drex DeFord: it.

Chase Franzen: So, so, so once a month we drill down into one area. It's usually an area that, is either super important to our current program something we're working on, something we're trying to affect change in, or something that is hot, that, that has affected maybe other health systems, a recent cyber event or something that is in the news.

Right. So. AI and effective AI, on cybersecurity has been a topic that we've gotten a couple different sessions from, but you got it once a month 12 months. That's how it works.

Drex DeFord: I wonder sometimes it's even the stuff that affects them and their families personally, right?

Because that good cyber hygiene at home then becomes good cyber hygiene at work.

So a lot of those different examples in talking about. Home cybersecurity and scams and how pervasive the scamming kind of industry is.

Drex DeFord: This is all really interesting because I was reading something and then talking to somebody about this the other day. Their organization was in the throes of a cyber event, and one of the distractions that the bad guys used was that during the cyber event, they found one of the analysts and they created a situation at home for the analyst, which took the analyst out of the game.

Right. Because now they're dealing with this home. So yeah, absolutely everything. Absolutely everything connected to everything else.

Chase Franzen: Super sophisticated. Yeah, it sure is. Yeah. Yeah.

Chase Franzen: Yeah. I go back and forth on ai. Seemingly daily right now. I'm, like many of us, super excited about the kind of potentials of it, especially in the world of cyber. I think about how, gen AI can increase the amount of visibility that we have. In a security operations center.

I think about the implication on something like, phishing emails, right? And understanding the nature of an email gen ai, reading an email going, eh the goal that this person is after is not, something that is good. It's nefarious. So I think we've got a world of benefit.

But I think as a nation as a people, i'm not sure that we've figured out how to have effective oversight. It was interesting that I was listening to a podcast just this last week with a person that I won't name on it who has been in the news a lot talking about his AI technology that he's got.

What we want and need, and have, we set up boundaries that can be enforced. And beyond that, I worry about the environmental, the really real ROI on this stuff. So, again, economics background. Yeah. This stuff is super expensive, from a power perspective. Power consumption. Yeah.

From a, distribution perspective, from, just a land use perspective, are we really recognizing. The full cost of creation and ownership of this. Or are we just, to coin Milton Friedman's term? Or are we just being irrationally exuberant about it? Sure. We can do it.

I am concerned about how good of a social engineering campaign AI can write, right? Like, AI is way better at, at writing an email than me. Gone are the days of, look for bad spelling and bad use of branding and, extra spaces and extra line breaks like it is. You can

Drex DeFord: sit down in GPT and say.

Can you write an email? Here's what I wanted to say and I would need for you to write it as a native English speaker from Indiana who has an eighth grade education. And it can That's right. Print that out for you. It just doesn't matter that all those clues doesn't matter, like you said we used to look for, they just don't exist.

So everything that has true AI in it has to go through this committee. I'm a member of it. It's chaired by our CMIO. Mm-hmm. Has clinicians in it. It has technicians in it. We have our diversity and inclusion officer as part of it. We've got of course, legal, et cetera.

It's a great multidisciplinary group. And really we are looking at not only the ROI of this stuff from like a true, complete cost of it but we're also looking at the ethical implications and really figuring out like, is this the vendor that we want to do business with in these very critical areas.

Drex DeFord: just the tech, but also the company. Oh, absolutely.

Chase Franzen: The

Drex DeFord: company reputation as part of, absolutely

Chase Franzen: I think that piece is important, right? Because again we're very early days here.

So it's, and it's not only the company and reputation, it's are they good? Are they ethical? How are they approaching these very difficult kind of philosophical conversations? And thoughts about ai. We're tracking. We have approved over 30 ai capabilities at Sharp, and we're tracking over a hundred right now that are in use at Sharp.

To give you just a little bit of insight into the magnitude of this at a health system like Sharp.

I'm with you. I'm a big, I think back. It was only three years ago or something that we started with ChatGPT, like that. It's still like a little tiny baby. Just announced. I think it has the valuation. Yesterday, maybe I read something. Half a trillion dollars. Incredible speed. Incredible growth.

The more they know, the more they figure out how to do and not just that. Yeah, open ai. Company. But but all of them,

Chase Franzen: And you look at that, so three years you look at the hockey stick and you go, what is that trajectory look like as it's a really both interesting, fascinating, exciting and scary at

Drex DeFord: the same time,

Chase Franzen: thought where are we five years from now?

It's

Like every month there's something that's. 10 times better than the thing we had last month.

Chase Franzen: It's funny you mentioned, you deep faking your voice. One of the things back to the cyber training awareness, how do you get people involved?

So we do. The yearly mandatory compliance in cyber education that everybody does. But we this year we revamped the whole thing. We actually, just yesterday I was in a meeting where I had somebody tell me that was the most fun educational, like, forced educational course that they've ever taken

And then inside of the course was a, which one is the real ciso? Is it, this chase or is it this chase? Oh, I love that. But drex that was based on capabilities that we had, seven, eight months ago. You do it now. Oh yeah. And those little things where like my team could tell which one the real chase was because the intonation of my voice, little cues were not right, but like.

We did one just last month, and it's, man it's, it's a lot better, lot better. lot better.

Drex DeFord: There's some amazing, it's tech. You can feed this stuff in have the fake and then you can do things like punch up this line, be more emphatic or, be less emphatic about that line.

You can tune it for emotion on certain. Yeah. So that you can really tune it into, that's how that person really does speak right. Yeah. Crazy. It's crazy. You wanna do a couple lightning round questions? Yeah, man. Do you have a favorite quote?

Is there a a quote? Yeah. From a even not famous person that you go back to from time to time.

But on the kind of wall it said, good is never good enough. And that's kind of stuck with me. It's. kind of sad, right? But it's also like this idea of perpetual, move forward, get better, never being complacent with the what is, but rather the what could be I think is powerful. And that kind of connects to my all time favorite quote is by TS Elliot.

push, the bar forward maybe at the cost of failure. Yeah. You really don't know how far you can go if you're constantly in this comfortable zone. You're never gonna know how far you can go until you get uncomfortable. And I think that's really powerful and that stuck with me, gosh, almost my entire life.

Drex DeFord: That's great so both of those, I have talked to my teams in the past about they get comfortable with your uncomfortableness. That's the best. You don't have perspective, like, especially I think with endurance athletes. When you ride a hundred miles, when you run a marathon, you get to the point where you kind of go at any given point.

And I was embedded with some army guys and one of the army guys said something like, well, look, you there, LT, you can only get so dirty before you start to get more clean. And so it's stuff like that, right? Yeah. That you just you wind up sort of figuring it's so good. That's, yeah that, that's good.

I think the continuous performance improvement and always getting better. I love that one too. You talked about failure there. Do you have a favorite failure? Like, I feel like I've failed a lot in my life, but

Chase Franzen: Yeah.

Drex DeFord: But I think the failure has led to like figuring things out, but do you have a favorite failure?

Chase Franzen: , I'm gonna give you one that has nothing to do with cybersecurity or even technology but as you ask that question, it's like, it's the first thing that pops into my mind. So I mentioned that I have a background in real estate. One of the things that I tried to do before I came back to, the home of technology was work in real estate investment and construction.

I thought I knew which house it was. Right. We were at a real estate auction. This address came up. There was a picture of it. I was like, ah, I live right there.

I know what house that is. Bought it on behalf of this company that my buddy and I had started. And we got to the house. It was not the house I thought it was. And we overpaid for it big time. Oh. And it was in horrendous disrepair. And it was just a massive investment failure, right?

So we way overpaid, we were way in over our heads. It was, the classic money pit scenario right from the movie. And we were looking at it going, gee, what do we do with this now? And what we did with it was my partner and I, we're pretty decent with construction, but like we didn't know every trade in construction.

And it was brutal and it was hard and it took many months and it was way more expensive than we thought it would be. It was in Minneapolis in the winter. I've got pictures of. Like looking like Kenny from South Park, right? All like bundled up inside, like, doing plaster on the walls.

And I look back at that because, yeah, I mean, it was a failure. We, we, We didn't make money. It was way longer than we thought. It'd be way over budget. But it was so formative and I have had the opportunity of, owning a couple houses since then and I can do everything I want now on a house.

Sometimes it's just hard fricking work that gives you the most life lessons and teaches you the most, so. That one is just like this thing that's been forever embedded in my brain of like, if I could go back to that moment bidding on that house, would I still buy it? because holy crap, it was still a lot of work.

But it also taught me so much, and I think the answer is, heck yeah I'd do it all again.

I think the worst thing you can do is give people just tons of money and say, go be innovative, because they just buy things.

Chase Franzen: Yeah.

Drex DeFord: Versus saying. We don't have money. We've gotta figure out how we're gonna work ourself outta this situation. Yeah. And that creates a lot of really super impressive innovation.

People are really creative. Yeah.

Chase Franzen: Right. Scrappiness is a virtue scrappiness. Yeah.

Drex DeFord: Last question. What's the best airplane you've ever flown?

Chase Franzen: I've flown cooler, more interesting, more unique airplanes. But the iconic piper J-3 Cub is my favorite airplane that I've flown and I'm, fortunate enough to fly one often, but it's very simple and in a world of technology and cybersecurity and worrying that, can hackers hack the avionics and airplanes?

And I think that'd be my answer. That's the most like iconic, true airplane that I fly.

Drex DeFord: I love it. I think that's a great answer. I appreciate it. Hey, thanks for being on the show today. This was fun.

Chase Franzen: Yeah, absolutely. It was a great time.

Thanks a lot. Drex

Drex DeFord: That's a wrap for this episode of Unhack the Podcast. Do me a favor and share this episode with your peers. And by the way, your feedback matters, so please subscribe and rate and leave a review wherever you listen to podcasts. I'm your host, Drex DeFord. Thanks for spending some time with me today. And that's it for Unhack the Podcast. As always, stay a little paranoid. I'll see you around campus.