This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

Introduction

Hi, I'm Drex DeFord, a recovering CIO from several large health systems and a longtime cyber advisor and strategist for some of the world's most innovative security companies. And now I'm president of This Week Health's 229 Cyber and Risk Community. And this is Unhack the Podcast, a mostly plain English, mostly non technical show about cybersecurity, and RISC, and the people in process and technology making healthcare more secure.

And now this episode of Unhack the Podcast.

Drex DeFord: Hey everyone. Welcome to UnHack the podcast. It's super cool and really fun because we're doing something a little different today. I've got two folks with me and usually I only have one guest today, two guests. Brian from Lee Health. Aaron from Medical University, South Carolina. Welcome to the show guys.

Brian Zegers: Thank you. It's great. Great to be here. Thank you for the invite.

Aaron what's the coolest thing you're working on right now?

Aaron Heath: For better or for worse, one of the things that you know. I recently took on where some of our network and infrastructure teams that previously were not within the security office. So it's been fun trying to align strategies with them because there's a lot of opportunity to do so.

I think, one, one of the pretty interesting areas that we're looking at is, South Carolina we've got quite a few clinics Freestanding emergency departments some rural hospitals that, they do not have the greatest network connectivity in the world. And they somewhat, I don't wanna say regularly, but regularly enough that it causes some pretty acute problems for those areas. And so we're working on a project to look at different things like satellite connectivity, to be able to maintain connectivity. If they have an outage, somebody digs up

That's kind of a fun one that we're working on.

Drex DeFord: I like that. I mean, it is really interesting, right? When you're in a big place and you have resources and you're in a city or a city-ish environment and you talk about redundancy and having two lines going two different directions outta the data center on different sides of the building and not, rejoining at the same telco building or, so you can build redundancy in, but a lot of these places don't have that capability at all. Do they? Yeah. It's just like one line. That's it. That's all we got. Hopefully nobody cuts it with a backhoe when they're. Planting the new tree or something?

So yeah, we're looking to what kind of things can some of the satellite services provide for us?

Drex DeFord: I like it. That's pretty cool. Hey, Brian, what's the coolest thing you're working on right now?

Brian Zegers: , One of the great things we've been able to do is we're calling it kind of a recovering from ransomware initiative.

So it started with off with some tabletop exercises with various groups, but really spawned into some kind of sub work streams where we're looking at, I. All the different aspects of what we'd be dealing with in ransomware scenario from, our capacity for storage and compute to be able to recover to snapshot groupings and timings of backups, right?

You talk with infrastructure, yo we, got snapshots, we got backups, and let's dig into that, right? Like. Do we have this across? What does that mean? What does, well, there's these couple areas where we don't, okay, which systems are those? Oh, well those are key systems. So it's letting us like have a lot of really good in depth conversations and getting all the teams outside of cyber to, especially on the infrastructure side, to think about what would be involved in this process and try to.

But. I really like that because I think all of us know it's not a simple conversation. A lot of these really start growing into much broader, complex decision making processes and things we need to think about and pulling in so many other teams outside of cyber.

So we've been having that go on probably since the end of last year and most of them are completion, depending on or running through the rest of the year. But it's really helping us in the preparation phase of those events. And it helps us really in overall DR planning too.

Drex DeFord: I mean, they get distracted because day-to-day work comes back in and starts to suck up all those cycles. It's really interesting. I mean, so many components of that, like you talked about having hard copies or having an offsite copy of stuff like the contact list and I mean, there's so many things that we have of it.

Yeah, we're gonna be able to get to that. It's on SharePoint, we're gonna be able to get on the common drive. And it's like, oh no, we can't get to the common drive. What are we gonna do? It is crazy, right? Everything's connected to everything else and. That turns out to be a huge deal.

Now I wanna go back to Aaron for a second. Brian kind of alluded to this idea that he's coordinating with all of his technology teams and all of that. You said something earlier that I'm like I'm gonna ask the question again. You said all the infrastructure teams like report to you?

It's like, all right, call network and call firewalls. And they're working together as it is. And now we've just got like really strict alignment with them. So really excited about some of that. Certainly brings in some new areas. That I didn't have oversight for before. But I can't tell you how many times or how often we're finding, like these are things that really things that the CISO should be concerned about, right? Because a lot of the infrastructure teams, they wanna [00:07:00] move fast and they want to do DevOps and stuff like that, but like availability is so important to them. Right? And I'm like, I'm aligned with you on that one, guys.

That's really focused. So it's been pretty interesting and good journey. I don't know if it fit works for every organization, but. We've got some folks that are really jumping in and embracing it I think

Drex DeFord: it's interesting that I feel like I hear more and more often chief information security officers are moving into that what used to be mostly.

Called a chief technology officer kind of role. They're sort of combining those. Now, they may still have like a director of infrastructure and those kinds of people, but a lot of it is sort of de conflicting the priorities and figuring out okay, patches or whatever, right.

There's always something going on. And Brian, you probably see the same thing in the spirit of everything that's connected to everything else on the application side of the house too, right? Everyone's a security person now. Not just the infrastructure guys, not just the folks on your team, but all those apps, people now are security people too.

Brian Zegers: Yeah. And that's fun, right? Because it was hard enough getting 'em to be IT people some of the times, let alone now they need to be security people on top of it, right? Like app support folks kind of knew apps. They didn't always know the infrastructure.

So, but yeah, it's all interconnected and I think that's really where everything's going right. So much of it is layers above the hardware and kind of virtualization layer now. It's all app and security and processes and integration of all these different systems that's where all the resources are at.

That's where so much of the team focus is spent now. So

Drex DeFord: and software as a service. Yeah. And all those third party relationships, I mean, we can go down the third party road, but I really want to ask you Brian, a little bit about. I feel like how do we do this without asking or talking about ai?

So, what are you thinking about AI right now?

But it's really coming full speed. , So recently, one of the key topics is co-pilot, right? And we're in the process of doing an evaluation of co-pilot. But the automation of AI is really what scares me, right? Because to me it's that whole RPA the robotic process automation on steroids.

Right. If you start giving AI the ability to just automate and do tasks, right? The next thing is now they're gonna want these accounts to have tremendous amount of access in the organization and no one's really gonna know what it's gonna do. And somebody could easily tell it to do something that we don't really want it to do across the board.

Drex DeFord: Let's ask Aaron and see what he's come up with. I mean, you're totally right. We see this continued growth phase through sort of like we had Google and then we had chat GPT, which was kind of just like a fancy version of Google. That's how people sort of used it.

But now they've turned these things into agents and they're loading things up there and giving them perspective and then asking them to do particular kinds of work. We're doing a bunch of that stuff here internally too. It's kind of cool and very interesting, and with everything that I do, I'm always like, oh, that's really cool, but my next breath is always like, and oh crap.

What? Unintended consequences are gonna come from that. Aaron, what are you guys thinking about ai?

That is where my head is concerned. Because you're probably gonna have shadow aI agents, right? Like shadow IT course that people are using to do their jobs and they give them their identities and who knows what they are gonna leverage them for within our environment.

I mean, heck in the security office, right? We want to use ai. Yeah, we wanna do remediation faster. We want to isolate things faster. We could be the ones who create the disruption ourselves. So like, we need to be mindful of how we're using AI in our own departments, honestly, because we have very privileged access.

Less passive, more active phase of AI start to look like. And that's where I'm constantly trying to iterate and think about how we kind of get ahead of that.

Drex DeFord: Yeah. in my head, this is a little bit like I don't know, change control or something like that where we have processes, but we have humans in the process and we always look at it and say, okay, we got a back out plan, right?

We gotta kill switch on this. If something starts to go wrong, we ask those kinds of questions. So maybe it's kind of,

Brian Zegers: yeah,

Drex DeFord: mentally something like that.

Brian Zegers: and we're seeing a lot of parts of the organization too, kind of say, we need this, we need to get it implemented, but not really a firm use case of what do they want to do with it.

Right. So even on the other side the business and clinical owners don't really know exactly. They just, Hey, we wanna try and, reduce time spent administrative hours and make things faster and more efficient. But trying to squeeze it down to, okay, talk me through what exactly do you want it to do?

What we're not sure yet. It's like, well, oh.

Let's

Once you have great data and you have it in a good place and you start to do that kind of analytics with AI or without ai you start to find out things. You didn't know. I didn't know I could ask that question. So now that I know I can ask another question. I didn't even know I could get an answer to that.

AI is kind of, playing in that same space right now. Like I didn't know I could do that. When, if I can do that, can I do this? And the answer may be yes, and then they continue on. But you know, the problem is doing it on live data, on the live network and causing that kind of cascade effect. Yeah. Brian, you've also done some pretty cool stuff on talent recruitment and retainment.

We talked a little bit about that in Boston, but tell me more about where you're at with that. because I know you've made some progress since we were all hanging out together.

So then we had the hurdle of actually hiring those folks. And with the change of remote work, we have some requirements of employees have to be a resident in the state of Florida. Which typically right. Like of most people that wanna move to Florida or people that wanna retire in Florida or ready to retire in Florida

so we had to really figure out as many different avenues and possible options of how do we get people into these positions and so we started really looking at what we call, at least what I call internal poaching. Right? Like, who are the top internal candidates that we wanna go recruit and pull over?

And know when to call it and kind of say, let me not spend more cycles on something and go down a rabbit hole. That wastes time, right? Those are. Hard things to do and you also need a good understanding of the infrastructure to be able to do that. So, internal poaching has helped us identify really good candidates and bring them over relationships with local colleges and universities.

So that's something I've kept going and be able to talk to the professors there and say, who are your top students? And talk with the class and offer mock interviews. And actually through a mock interview, we had an individual, one of the students who killed, she did terrific on the mock interview enough to where me and the manager said, I.

You need to apply for this position right now because we are gonna interview tomorrow for it like we wanna hire you. It was just one of those with that relationship that allowed us to find somebody who would just be a great fit for the team. And other communications with other healthcare institutions, right?

It's a lot of different avenues that and then at the same time, you gotta kind of keep 'em going and keep those stokes in the fire. because Great. Now our positions are filled. I don't know when the next one's gonna come but I want those ready to be able to, have that pipeline feed in as soon as the next opening comes about too.

Drex DeFord: Yeah. So, internal poaching. Go to the universities and community colleges and ask questions. Work your network. And then the other issue about this is if you have a full team, you also have to figure out how to make them happy about being here and give them interesting work, right?

Come on, let's go, type thing. So cyber's a really fun domain for being able to like, introduce people to a whole lifetime's worth of learning and stuff like that. Yeah. You just, you gotta have the right head, coming into it. because it's not for everybody.

Drex DeFord: all right. here's my old CIO tip. When you're in an interview with somebody and at some point they tell you that they were a bartender in college, that person probably has a lot of the skills that you're looking for, right? Relating to people, being able to solve problems, breaking up bar fights being able to handle money, managing

Aaron Heath: a lot of stuff.

Oh yeah,

Aaron Heath: A hundred percent.

Drex DeFord: How'd that happen? How'd this happen?

Aaron Heath: The long and short of it is that while I was in law school, I started my information security career. And so, I was in law school. I had started working in information security and I started talking to a few mentors of mine and stuff.

They're like, you know what, you, there might be something there. Information security is getting kind of important. And there might be a nice Put these things together. Yeah. The law one day there might be some opportunities there. And so I was like, well, like, it's kind of fun to sort of explore new things and, see where they go.

And so I just stayed really close on information security, stayed close on technology while I was in law school. And eventually once I got out, did some, healthcare compliance work and some telehealth work and some privacy work and information security. I kind of stayed close with the information security office here at MUSC.

So I did and I've been doing so ever since then, so it's been a fun journey.

Drex DeFord: Nice Brian? No. Law school? No either. I didn't go to law school Aaron, making us look bad. At some point though, in your career, you were doing something and you got on this path. How'd that happen for you?

Brian Zegers: I got my degree in electronics engineering, so not too much in IT related. Just happened to guys I went to college with, got into it and kind of got me a job in it, and that's how I got started. A long time ago, but moved up throughout kind of managing and directing the infrastructure side of it and, I just found for me, it wasn't challenging enough. It the technology doesn't change as frequently Right. Every big things like virtualization and solid state drives. Right. It's just, that's not all that frequent. So, and the late night calls. So I, Aaron, I don't know how you get any sleep owning.

It's not always a simple yes or no answer. There's a lot of conversation and back and forth to really figure out what's sort of an acceptable risk. And I like that part of it. And our organization didn't have a security officer lead. So at the time I went to the CIO and said, I'm really interested in doing this.

I would like to take on that responsibility. because he was that person on paper. And said, I'm gonna take this on my current role and at some point I'm sure you will create a dedicated, CISO level role and I wanna be considered for it. Fair enough so that, took the initiative to, to start get into it.

And when the organization said Yes, we need to create a information security officer role, that allowed me to transition over and then kind of move away from also doing security and infrastructure. because fourth time I was doing both.

Drex DeFord: Man, you're right. This is the most interesting. Role in the world.

As Aaron kind of alluded to, that once you're in the path, there's so many roads you can go down and so many new skills you can learn. It's just crazy. Okay, I could go on forever. There's a hundred other things I'm gonna talk to you about. Maybe you guys will come back on the show again at some point, but let's move to

the lightning round. Let me see here. What I wanna ask you guys Brian and Aaron, interesting names. But you probably have nicknames. Maybe you do or maybe you don't. Aaron, you have a nickname.

Aaron Heath: My high school friends call me big A, my soccer coach used to call me thunder lips. I have no idea where that came from.

So there's kind of a laugh for you. I don't know where in the world that came from.

Drex DeFord: That's awesome. Brian, do you have a nickname?

because somebody can't spell Brian properly in email. Probably once a day I get, brain in an email. But and I don't know, I think probably when I make phone calls to people too, people. Gimme my nickname is, oh, crap. because every time I call someone, like, what did I do? What am I in trouble for?

I'm like, is that really, my reputation? Like I only call when you do something bad.

Drex DeFord: That's so good. I think that's true. When you have a last name like Zegers or a first name like Drex, it's really hard to get a nickname. So I don't really have a great nickname. Aaron, what fun thing are you doing this summer?

Aaron Heath: My family including myself, are headed to Australia in a couple weeks. Oh, wow. So that's gonna be pretty interesting. I've got a 4-year-old that's gonna be on a quite a long flight, so we'll see how that goes.

Drex DeFord: Don't have a 4-year-old, but I might wanna talk to you about your agenda at some point.

Yeah, sure. Australia is the only continent that I haven't been to yet, so I gotta work on that. Ryan, what do you do in the summer?

Relaxed sun rose at 5:00 AM and set at like nine 30. So you had, wow, you 5:00 AM to 10:00 PM of daylight to go out on the lake and fish.

Drex DeFord: Yeah. I live in Seattle and I have that similar super ultra long summer experience, but it really stinks in the wintertime because you get the opposite version of that Brian dog guy or cat guy

Brian Zegers: dog.

Only forced to by my kids, but dog. Dog, Aaron? Yep. Dog. You're a dog

Drex DeFord: guy too. Okay. Awesome. Let me ask you about your favorite metric, Aaron. This can be a work metric or this can be, I'm a dog guy, by the way. This can be a work metric or it can be some metric that you use in your life or other stuff.

What's your favorite metric?

Drex DeFord: Let go to Brian. What's your favorite metric?

Brian Zegers: I guess maybe it's not a metric, but more of like a rule I go by of just as long as the decision I make, I'm comfortable with, I can sleep at night.

because people always say, how do you sleep at night? And it's like, hey, as long as I know I'm making the right decision, I can live with the outcome, right? Because I know I made the right decision based on the factors and helped me. Be comfortable and know even if an event happens to the organization, I did what I could do, everything I could do to try and protect and prevent those type of things.

But we know we can't ever do a hundred percent right. So we always kind of have that area of unknown that we're dealing with.

Drex DeFord: Yeah. You and I have talked about this, like it's not necessarily that you made the right decision as much as you did your best to make the right decision. Yeah. Given all the information that you had, you know you did the best that you could.

I think that's a great way to just kind of generally go through life. A lot of people agonize over perfect. And as we say, perfect's the enemy of good. Aaron, did you come up with something? Yeah so

Like number of end of life systems we have that broken out and, patching on critical. And you work really hard with some teams. To change a process or you deploy some new technology and you can just wake up the next morning and you just see the, some of that stuff drop off or improve.

And I, it is like the greatest, like hands in the air like feeling, just to be able to see that kind of like, quantitative impact that you can share with all your teams and stuff. We, I've got a whole bunch of examples of that recently where we've just, we did some small things we just been, hadn't been focused on for a while.

We prioritize 'em and it's just like, watch the metrics or watch the data fall off, that is just such a good feeling to celebrate with those teams.

Drex DeFord: That's good. I love that. Okay, last one. Speaking of hands in the air, you're going to a big conference.

Brian Zegers: Oh, you already know it's Ice. Ice baby, right? Like, we love it Ev and everybody in my whole company knows that's my song that I, somebody, anybody could answer that question for me.

Drex DeFord: I love it. Aaron, what's your walk up song? Gosh, there's a couple Led Zeppelin song. I'll take a whole bunch of led Zeplin songs. Okay. We'll just

put a mix

Aaron Heath: together for you. Yeah.

Drex DeFord: All right. Awesome guys. Thank you for being on. That was super fun. I hope that we can do it again and I'm looking forward to seeing you the next time we get together.

Yeah,

Brian Zegers: It's been a real pleasure. Yeah. Thanks Drex. Appreciate it.

Drex DeFord: That's it for unh. Hack the podcast. I hope you guys are having fun. Stay safe. It's cybersecurity. Stay a little paranoid and I'll see you around campus