This transcription is provided by artificial intelligence. We believe in technology but understand that even the most intelligent robots can sometimes get speech recognition wrong.
Thanks for joining us on this week in Health IT Influence. My name is Bill Russell, former Healthcare CIO for 16 Hospital system and creator of this week in Health IT a channel dedicated to keeping Health IT staff current and engaged. Special thanks to our Influence show sponsors Sirius Healthcare and Health lyrics for choosing to invest in our mission to develop the next generation of health IT leaders.
If you want to be a part of our mission, you can become a show sponsor. The first step is to send an email to partner at this week in health it.com. Your response to CliffNotes has been incredible, and why wouldn't it be you helped create it? CliffNotes is an email we send out 24 hours after each episode airs, and it has a summary of what we talked about.
It has bullet points of the key moments in the show, and it has one to four video clips, so you can just click on those video clips and watch different segments that our team pulls out that we think . Uh, really captures the essence of the conversation. It's, uh, simple to sign up. You just go to this week, health.com, click on subscribe, put your information in there, and you'll start receiving, uh, clip notes.
After our next episode airs, it's a great way for you to stay current. It's a great way for your team to get to stay current and a great really foundation for you and your team to have conversations. So go ahead and get signed up, get your team signed up, and, uh, begin getting clip notes after the next episode now onto today's show.
Today we have Dr. Eric Cole with us to talk cybersecurity. Good morning, Eric, and welcome to the show. Thank you for having me. It's a pleasure to be here. Well, I'm, I'm looking forward to this conversation there. There's so much going on in healthcare around cyber and, and just the whole, the whole framework of security.
We have the recent attacks. The breaches, and we're gonna cover a lot of ground here today 'cause I've. I followed your stuff on LinkedIn and I really, I really appreciate a lot of the stuff that that, that you're saying. Before we get there though, I wanna, I want to sort of set your credentials. Tell us a little bit about your cybersecurity background and a little bit about yourself.
So I began my career back in the late eighties, early nineties at the CIA and I was a professional hacker, so I was on the offensive side and I was your super geek, right? Put, put me in a lab with a lot of computers and I was happy. But after eight years of doing that, two things happened. One, I got bored.
Because you can always break into a system. There's always ways in, as long as you have functionality, there's going to be exposure points. So it got easy. So I switched my focus to really focus on defense. How do we defend and protect against it in a scalable way that works for organizations like healthcare?
And the second thing I realized is that I like to be my own boss. I, I don't like to work for stupid people. Don't mean that's a negative, but, but, but I, I'm just not good that way, so I don't always do what I'm told. So I, I became an entrepreneur, cybersecurity, and I bought and sold a few companies. So I had TSGI, we sold that to Lockheed Martin and then Bob Stevens, the CEO at the time, kept me on, as his chief scientist, focus on all cybersecurity breaches for all of Lockheed Martin.
I then went to McAfee and redesigned their entire product line, and we sold that to . Intel and now I'm running my own company, secure Anchor, and really my focus for the last four to five years is on cybersecurity strategy and leadership. 'cause to me, when you really fundamentally look at the problem, I.
You don't really have good cybersecurity thought leaders. You have really brilliant world-class technical geeks that can program track or do anything. But when you really have cybersecurity people, there's very few that can step back, understand the business, look at what business you're really in, and instead of implementing security that disables the business, I'm all about how can you implement security to enable the business to be more successful?
Alright, here's where we're gonna go with this. We're gonna role play a little bit. I'm gonna be the CEO for a major health system, and you're just gonna do you, you're gonna do the, the ciso I'm gonna help you defend and, and those kind of things. I, I, so here's, I, I guess my first question is, what do I need to know as the CEO of a health system That I'm trying to expand my digital offerings, I'm trying to make healthcare more access in.
We're doing a lot of, uh, things that we haven't done before. What do I need to know as ACEO of a health system? First, you need to recognize that your organization is going to be a target. You are going to be targeted. The other thing you need to know is that the probability that your organization is already compromised.
Is probably as close to a hundred percent as you can get. So the adversary is already in and has access to your network. So now what we need to do is how do we design security in a way that even if somebody is within your environment and network, we can still protect and secure the critical information and the critical data.
And that's what it really comes down to is what is the most critical data to your organization. And what measures can we put in place to protect, secure, and get visibility? So cybersecurity's not about prevention, it's about timely detection. So I need to understand your business. I need to understand how you make money so I could put the proper visibility in there.
So when breaches do happen, we can minimize and control damage. So you're, you're saying as the CEO, first of all, you're in true, true to form. You're scaring the, the crap out of me. And, and, and that always happens whenever I sit across from people like yourself who, who have hacked organizations and, and, and know the vulnerabilities.
You essentially say, look, I can get in, we can get in, and, and my history would, would, would prove sparingly on. We had an internal auditor. I went to him and my teammate come to me and said, Hey, I feel pretty good about our security setup. I said, great. Uh, well I'll, I'll test that out. So I went to the internal auditor.
I said, look, um, here's deal. What's your fee for your, your normal security penetration testing? Can you get in hackathon, kind of thing, get getting into our system. And they gave me the fee and it's, it's pretty high as you would imagine. I said, all right, here's the deal. If you can get in and get to certain assets, I'll pay your fee, but if you don't get in, I'm not paying your fee.
Within 48 hours. Not only had they gotten in, but they essentially had the lay of the land. And we're not talking about a system that was underfunding security. We were spending, I don't know, six to $9 million a year on cybersecurity. And, you know, we still couldn't keep them out. Now they, they were people with credentials like yours.
They, they had a, a team of people that former NSA, whatever, but they were using very, let's just say . Not very sophisticated ways to get into our system, but once they got in, they used very sophisticated tools to, uh, to really have their, their way across the broad network and access. Is that still what we're worried about?
We're still worried about people coming in doors that we just leave open, but then they use sophisticated tools to go wherever they want. So the two biggest challenges today with healthcare organizations is one servers that are accessible from the internet that the organization is not aware of. Se several of the healthcare breaches that have happened had to deal with healthcare organizations that did migrations.
They acquired other providers, and when ended up happening in all the scrambling was there were servers that were accessible from the internet that contained critical data that nobody knew about. And because they didn't know about 'em, they couldn't protect him. Or keep 'em up to date. So that's problem one, knowing your assets.
And the second problem is targeting users. Phishing campaigns where you're going in, you're sending a well-crafted email, getting them to click on it. Nowadays, it's almost too easy. If I send anybody an email with the subject line that says Coworkers infected with covid, I. And I have an email that says, five of your coworkers have recently tested positive to Covid, OVID.
Please click on the link to see if you've been in contact with them. It's a guar. I mean, I, I could just sit down and give you 30 minutes of security awareness and you're still clicking on it because we are so concerned about it. So phishing attacks against individuals is the other way to get into the organization and the two big problems that organizations have.
One is they still have these strong perimeters. And there's not a lot of internal security. So when the perimeter gets breached, you could move very quickly within the organization. The other problem with security is they're over teched, understaffed. They have way too much technology and it's generating way too many alerts, and there's not enough staff to respond to it.
So with a typical healthcare organization I worked with, they're getting 15,000 alerts a day from their security software, and their team can only respond to 300. If you're getting 15,000, only respond on 300, you're gonna lose. So what I actually did with them, which is counterintuitive, I took out half the technology and I downplayed it.
So now they're only getting 300 alerts, but they're the most critical, highest priority. Sometimes less is better when you're understaffed. All right, so. I'm back in the CEO role. I'm investing money. I feel like I'm throwing a ton of money at this. Somebody told me spend $6 million. I'm spending $6 million, redo my budget.
For me, is it education, prevention, detection. I mean, what I hear you saying is we, we almost have too much technology at this point. Yeah, so, so I would say you're probably way over on capital expenses and way under on operational. So what I would do is I would say, can I take that 6 million and can I narrow it down to 2 million, but you'll let me hire six more people?
So, so can I, can I trade in the, the tech for more people? 'cause the problem today is that our technology is not tuned and running correctly, and we need more staff that are properly trained. All right, well, but, but let's talk about that Staff properly trained. I mean, that's the, that that's the, the big challenge.
I mean, this is one of the hottest areas to, uh, be hiring people today. And it, it just hard to, it.
Do I get to a point where I'm just saying, look, I'm just, I'm gonna outsource my operating center, my security operations center. I'm gonna some.
So two years ago, I would've said absolutely outsource is the answer. The problem in the last 12 months is outsourcing companies have grown so quickly that they are underperforming on their contracts because they just can't hire enough people. So they have the same problem that you have where they can't hire enough.
So you can outsource it, but you're not gonna get quality folks. So I, I recommend one of two things, either one, it's better to have one. World-class engineer at 300 KA year than three 100 k folks. So you're gonna have to overpay. So it's, it's better to have that topnotch or the other one is get creative, and I know it's some larger healthcare organizations.
HR isn't always in allowing this, but go in and find some really top-notch, uh, people from colleges and give them a five-year contract saying, listen. I'm gonna overpay you. Now you, you could probably get a hundred k, I'm gonna give you 150, but I'm gonna keep it that way. For five years, I'm gonna spend the first year training you, but then you have to agree to stay with us for four years, and if not, you have to pay us back the money.
So to me, you just have to get very creative. In investing. 'cause otherwise what happens is you get these junior folks, you spend a lot of money training them. They're worth twice as much, you can't afford 'em anymore, and they go to somebody else. So you gotta get a little more creative in the hiring process to keep and retain them longer.
All right. I want to go in two directions. One is what kind of training program do I put them on? But I also wanna come back to the, to the outsource. So. If I have done that, how do I, how do I look at it and determine if they're performing at a level that they should, but let, let's, let's stay on the, on the, on the staffing side of it.
So I, I love that idea, by the way. I mean, alright, so we go, we go to the local college and university and we get top-notch people. What fields should I be getting out if they're not.
Security training program, computer science would seem like the most obvious, but what I'm actually finding are even better are . Analytical type skills. So psychology majors are making really good security, operation center analysts, statistical majors, anybody that's all about problem solving. So anyone that understands human nature understands how humans operate and are masters at reading people and understanding and solving problems.
That's who you're going after he, here's the part, the technical skills are easy. I can teach anybody the computer science, but I can't teach you the analytical. Either you have it or you don't. So during the interview process, you want to ask a lot more questions on how do they solve problems? How do they go about when they have a difficult problem they can't solve?
What do they do if they get stuck? How often, how long do they give themselves to solve a problem? It it, it's all that style of questions because that's what you're looking for in a really good analyst on the security engineer side. Then I would recommend once you hire them, you wanna send them through some of the standard certifications out there.
You have your C-I-S-S-P, your certified information system security professional. You have your giac j. Security essential certification. You have security plus. So I would say plan on probably six. Of the first 12 months, they're gonna be in training. They're gonna be 50% in training the first year, and then the other 50% is really just hands-on.
You're just letting them go in the lab, play around. So you're gonna get a little value, but you're really not gonna get much output into that first year. So after that first year of training, then you're gonna start getting a lot of value. And then by the second year, that's when, sorry, the third year, they're gonna be, uh, invaluable to you.
Alright, let's, let's go back to the soc. As well. So I've outsourced, let's assume I'm ACEO again, I'm, I, I've outsourced. How, how do I determine if they are doing a good job? If they're meeting the, the, the, I mean, it is more than just contractual obligations. It's, it's that they're. They're letting me know if I've been breached.
They're letting me know if there's people with activity. I mean, so they're, they're on top of things. That's what I'm paying for. I'm paying for the fact that they've done this before. They, they do it every day. They do it for a lot of clients. They have the expertise. How do I make sure that they're doing this?
So two important things. One is you must get monthly metrics and reporting from them. Where they're telling you number of incidents detected, number of response, you, you need to see the numbers because otherwise no news is good news or no news is bad news, so it's very hard to tell. So you wanna make sure that your security team is getting, it doesn't have to be complicated.
Four or five metrics on true positives, false positives, attacks, detected remediation measures, but you should be getting some basic metrics from them on a monthly basis. And then the second thing you must do, which they don't like, is you must do unannounced tests of your network to see if they detected and respond.
Because most of these security operations center in the contracts, it says if you're doing a pen test or an ethical hack against the organization, you must give us 24 hours notice. . Well, but between you and me. That's the most gally, stupidest thing on the planet. . That's like saying, if you're gonna rob my house, you must tell me you're gonna rob.
I mean, it's, it's, it's illogical. So I tell companies, don't do that. You should have somebody on your team, or you should have an outsider that once a month unannounced, and not on the same day, they just go in and start doing a heavy scan against your network. And then you sit back and you hold your phone and you wait for it to ring.
And if it doesn't ring, that should be an immediate problem that something's going on because the sock needs to catch unannounced attacks. 'cause that's how the adversary works. So you need to keep them on their toes and what I will tell you will happen. Is if you are that customer that they know that you're testing them, you're tracking them and you're watching them, you are gonna move to the top and get their really good engineers.
The customers that aren't contacting them, that they don't hear from for a couple of months, that basically are paying them and they don't care what you do. They fall down the list very quickly and get the very low end newbies in terms of that. So you have to keep them honest and keep the pressure on 'em.
Yeah. So. After our, after the, the contract I did with the internal auditor, they, they got in and, and I sat down with them. I'm like, all right, what are we doing wrong? And one of the things that they flipped in my head was. That, that whole idea of a strong exterior, you're gonna be able to keep 'em out.
They said, look, assume they're in, uh, assume they're in because e, even, even some of your hacks are coming from your employees, right? They are. They're essentially taking medical records. They're selling them for various reasons. They could be selling 'em 'cause they're getting money for 'em. They could be doing a lot of different things.
So I said, so let's stop. Stop completely, but just stop.
You're looking for activity on the, on the wire they're already in, assume they're already in now, start to build your security practices as if they're already in the front door. Is that still the case or is there even a more sophisticated way to look at it at this point? Yeah, that's spot on. And it's funny you say that, 'cause actually this morning I gave a presentation to ACIA, sorry, CIO Council, and the name of my presentation was Defending a Compromise Network.
And, and, and that, that's pretty much the method. The only thing I would add to that is let's really step back and say when does the damage occur? The damage occurs typically with the outbound exfiltration. Now, yes, you could argue that if somebody's deleting data or ransomware, that could be impactful, but most of the damage are stolen records, confidentiality attacks, which is outbound.
So what I would tell ACIO, you need to start with. Outbound detection. If I, if you brought me into your organization and you were concerned about security, the first thing I would start doing is looking at everything leaving your organization. I'd set up outbound proxies and I'd start filtering that really tight.
'cause once again, everyone's focused on inbound prevention, but the goal and the way you win this game is outbound detection. Yeah, so you're all right. You brought, you brought up the word ransomware and it would be, it, it, it would be criminal for us not to talk about it. There's been a lot of ransomware in healthcare this year, and even recently post-election, there's been some ransomware attacks.
What are we not doing well in order to protect ourselves from ransomware at this point? To, to me, what we're not doing well is we're not understanding the difference between replication and backup. So I, I, I work with a healthcare organization and they said, Eric. We don't have to worry about ransomware.
We have four levels of backup. We, our data, anytime we make a record change, anytime we update it is automatically backed up the four other servers in real time around the country. So our data is good, and I stopped them and said, no, you are replicating your data. So if a server fails, you're good. If a hard drive fails, you're good.
I said, the problem is you are confusing replication and backup. If I come in with one server that's replicated four times and I encrypt that data, what's gonna happen? It's gonna get replicated to those four, and now within 30 seconds, . All four of your servers all, all have encrypted data that's held ransom and you can't recover.
That's the problem. It's not backing up. You still need to do old school backup. The tapes. You still need to back up to offline media, so if your replication gets corrupt, you can still recover the information. We, we, we just you're killing me. We just got rid of all that stuff. I mean, we went to, we went to this end.
We got rid of the tape robots and the libraries. It was too intensive, too crazy. The failure rate on the tapes over time was bad. We had store 'em at at Iron Mountain and a bunch of other stuff. There was costs associated with that. And now you're telling me, Hey, let's go back. Let's go back to the future.
Right now. Now do you think that's coincidental of why ransomware came out? Attackers? Ransomware has been known. It's been known for 20, 30 years, but five, 10 years ago, it was silly to do ransomware because we knew you had everything backed up. We knew you had tape and robots and all that stuff, so they didn't do it.
They waited for healthcare to get rid of all of that. Go to this high . Replication, high availability environment. And that's the exact reason they know your playbook. They knew you took out the tape backups, and that's the reason why ransomware is such a hot area of attack because they know it works.
Yeah. Let's talk about business associates real quick. So one of the challenges in healthcare. We have these business associates under business associate agreements, and these are people that can handle this, this protected data for us on our behalf. And these could be, uh, people that are processing payments.
It could be call centers, could be insurance carriers. It could be a lot of different, we could have, it could be innovators, innovation companies that are innovating on top of some of this data. So we sign these. And, you know, we just poke holes into our network to allow information to be going back and forth.
How could we be doing that better? I mean, almost to a certain extent, the health system now becomes, uh, needs an audit function. We need to be able to go out to each one of those bas the business associates and audit their network and their practices. I mean, do we need to go to that level or is there another way to do this?
To me, what we are doing with a lot of the healthcare clients that we have is with those, uh, providers, we're going to thin clients. So if you look at the big risk you have with having a third party or a third party entity accessing your information is they have a la uh, computer with an operating system.
That operating system can get infected with malware, they can then connect to your network, spread that malware very quickly. They can download information to their system and that system can get compromised. So it's really the endpoint that's that huge exposure point. So by now moving to a thin client, and they're not expensive.
That's the nice thing. You give it to that provider, whenever they wanna access your information, they turn it on and it goes out to one of your servers. And gives them a trusted operating build that. It's patched, it's up to date, it's secure. They then access your data. There's no hard drive, so there can't be malware, they can't store it locally.
They do their job that they need to do. You are monitoring and tracking it. And then when they shut it down, that all goes away. And the next time they come in, they get a new operating system. So we need to get rid of the exposure point of a compromised operating system for three years. And to me, thin clients are a great way of doing that.
Alright, so thin clients. So you're limiting the port, you're limiting, uh, certain access. Get through. So you're not worried about their network being compromised. And actually, let me take this to where I think it's happening today, which is we pushed all these people to work from home, right? And it's fine.
I mean, you gave me a company laptop, I brought it home. Here it is, it has all the right software and stuff on it. But my kids over here, this is hypothetical by the way. My kids are outta the house, but my over here and Fortnite and hitting.
There, there's just, you know, botnets, you name it on my network, if I'm doing a thin client from my company issued laptop, do I need to be worried about a compromised network on this side? I mean, that, that's always a concern, but that's a much, much lower threat. And, and the reason is this, it's not a compromised network.
It's compromised endpoints because a, a, a network is really just the wires and the cable. So your kids' laptop that were, their Xbox or whatever they're playing Fortnite with, that's compromised, but that is just scanning and looking. So if you have a lockdown, hardened . Endpoint a thin client, it's gonna be very hard for that to get in.
So I, I would say that's a very minor issue. That's a low probability of success. The bigger issue is without thin clients is you have your work computer at home. I. That you do all your work on, and when you're busy or going for a jogger at the gym, your kid comes and either surfs the web, does home replace Fortnite, it gets infected, and now once your computer's infected, that's the problem.
So it's really the infection of the computer, not the network that becomes problematic. Yeah, it's, I I, that makes sense to me. Alright, so let, let, the thing I hear from CEOs.
A cybersecurity security is really slowing down our strategy. We have a business strategy that is about digital. It's about engaging the patients. It's about remote patient monitoring and all these other things. But every time I turn around, we're sending a, you know, seven page document to every vendor that we're gonna be working with.
And we're, and, and we have to go through this, this long list of things. I mean, that needs to filled through. That you think, Hey, we just signed this contract, let's connect them up. Once it gets to the cybersecurity part of our organization and the IT part of our organization, the thing just comes to a screeching halt it feels like, and something that feels to me like should take a week, takes six months.
What can we do Anything about that Is, is there a way to keep cyber from slowing us down on the business strategy side? Yeah, so, so, so there's two uh, comments I have on that. The first one is it sounds like you don't have a true Chief Information Security Officer. What happens in a lot of organizations is people view the CISO as a promotional path for a world-class engineer.
So you have a world-class security engineer that's been at your company for a 10 or 12 years, and they say, if you don't give me the CISO title, I'm gonna leave. And you give them that Cisso title, but they're not really a ciso. And because they're super technical and super geeky, they're gonna take six months to cross every T dot, every I, and that's the slowing down process.
A good CISO understands the business. They know how you make money. They read the financial statements, and they understand that six months is unacceptable. So having a true . Strategic cybersecurity thought leader can speed up that process very, very quickly. The second thing I would urge you to do is make sure you are having accurate data.
So you're saying it's slowing it down, but do you realize that even if it's two weeks, if it didn't take two additional weeks for it to go through security and you got hit with ransomware. And that takes you down for two months or three months. Isn't that better? So you have to recognize that while security is meant to be a business enabler, there's gonna be a small impact for doing security.
But if you don't do security, there's gonna be a huge impact for not doing it. So the comment I always make is, do you wanna spend 10,000 extra dollars today on security? Or in six or seven months, when you have a breach, do you wanna spend eight or $10 million on remediation? So it is gonna cost a little bit.
I don't think it has to be to the extreme that you said of six months, but an extra week or two, I think you need to recognize based on the value is worth it versus the alternative of having a major breach that takes you down for significant longer. You, you made the comment earlier that. More than likely my, my network has been breached.
Right? If I'm a healthcare system, I'm a Target and we know that they're targeted because of the FBI warning and the stuff that just went out. So how do I know? I mean, if so, if ACEO or a board member is listening to this podcast right now. I mean, do they just go into their, to their CISO and say, prove to me that we haven't been breached.
Prove to me that we're not currently breached. I mean, how do they, how do they determine that they haven't been breached? A a and that that's the problem. You can't, you, you, you can prove a negative. You can't prove a positive. I can go in after you have a breach. I can say, yeah, you've been breached, but it's hard to go in and be totally comprehensive.
However, some things . You could start doing is one, have a security metric. You've worked in it. Most CIOs have a metric five nines that, that, that's their focus. The board understands it. They understand that. Their team understands it. If they deliver 99.999% uptime availability, everything is good. The problem is we don't have those metrics in security.
So you need to get a five nines of security. You need to get a single metric. That your security team is providing you, and where I recommend starting is just for a couple of months, have them tell you the number of attempted attacks against your organization on a weekly basis. Because most CEOs and board of directors don't realize how bad the problem is.
When I ask them that question, they go, Eric, it's probably eight or 10. And I said, what if I told you for your organization it was 80,000 a day? And they're like, they, they have no idea how bad the problem is. So we need to, not with FUD or emotion, we need to get factual data and start showing them the real data and the real information.
The second thing that most organizations do today is they do traditional incident response. Traditional incident response is you sit back and you wait for the smoke. You wait for something visible. The problem is, other than ransomware, these attacks are invisible. They're stealthy, they're targeted.
There's nothing. So you're sitting back saying, I don't hear anything. I don't see anything. We must be good, and that's very dangerous. What I would urge an executive to have their team do is something called proactive incident response or threat hunting. What if we have people that every month they aggressively look in the organization for signs of compromise.
They're aggressively going in and looking for problems or issues so you can go in and catch them early. I'm very, very big on overall health. I get my blood work done every quarter, and the reason is simple. If I wait for there to be a visible sign of something wrong with me, it's usually to a point.
Where it's really bad or it's inoperable. So by getting the blood work done every quarter, I'm looking inside and I'm getting visibility. You wouldn't be able to see externally. That's what threat hunting is. You need to go in quarterly, aggressively attack your own network, look for signs of compromise, and start getting more visibility into what's happening.
Don't just sit back and wait for your company to appear on the nightly news that you've had a breach. Wow. Well, you're, you're, that is, I mean, e every time we, we go down this path on, uh, cybersecurity, I am. Yeah. I, I, I understand why CIOs are overwhelmed and why CISOs are overwhelmed. Let's talk about CISOs for a minute.
Because it sounds to me like they're, they're, they're the, uh, focal point. They're the, the quarterback that make things happen. What kind of qualities am I looking for in a ciso? I mean, what, what makes a good one? What, what's their background? I mean, did we just make this title up sort of on the, on the fly and, and we're just popping the wrong people into it?
Or is there a path that you get a really solid foundation for, for being a, uh. Yeah, so what makes a really good chief information security officer is they need to be a translator. They need to be very fluent in business. They need to be very fluent in cybersecurity, and they need to translate between them.
They need to understand the business and how it works, and they need to understand technology and how it's implemented. The, the problem that we've had is if you go back when the position first came out like 10 years ago. We put business people in that role, they, they understood the business. They had MBAs, but they didn't understand cybersecurity, so they couldn't talk to the team.
They didn't have any respect, and that wasn't successful. Then we went the other extreme where we then made it a technical promotional path. Where you take your world class security engineer and you make 'em a ciso, the problem is they don't understand the business. They don't know the business, they don't know how it works, and therefore they're not very successful.
Uh, I'll, I'll give you an example. I was sitting in a meeting with this brand new CISO that the executives were trying to have me coach, and he just wanted nothing to do with it. He was this world class engineer that had the CISO title. And he's in the board meeting and he's just riffing on technology and the advanced adversaries and the, and he's just geeking out.
And finally one of the board members just goes, stop. I have one question for you. What business are we in? What is our business? And how do we make money? And I was just like, oh, the wheels just came on. He, he had no idea he couldn't. Answer the question and, and that's the problem. So to me, if you have a CISO in your organization and you want me to assess 'em, I'm gonna assess 'em with two questions.
The first question I'm gonna ask 'em is, what is your company's competitive advantage in the marketplace? The second question is, what is threat hunting? And if you can answer those, that means business, technology, and you're good. If you can't answer either one of those, then I know there's a major problem with that person.
So to me, the problem with CISO is we had 'em buried under the CIO for so long that it became a technical position, and now that security is as mature and rising up to the level of ACIO, they're not strategic enough and they don't understand the business. Where, where do they fit in the organization? Are they, they're a peer of the CIO that reports into whom?
So to me, they need to be a peer of the CIO. So if the CIO is reporting to the CEO, then the CISO needs to report to the CEO. So they need to be at the same level. If your CIO reports to the COO, the chief operating Officer, then I would have your CISO report to typically your chief financial officer or your chief auditing officer.
But they're still at that same level because we have to recognize that uptime, availability, and security. Can sometimes contradict and you need to have an executive that's equally hearing both sides so they can make the best decision for the company. That's interesting. So we, we, when I, uh, went in to be ACIO for the health system, we actually split out the CISO reported into me.
We, we broke it out. We hired somebody. We actually gave them the chief security officer title. They did information security. They also did physical security. The case that was made. We, and we hired person for. But the case that was made is security. Is security essentially, and, and.
Walk in the front door, gain access to our systems and all those kind of things. It has the same kind of threat, if not a worst threat, right? So people can really do damage if they're walking in our front doors and and gaining access to areas that they shouldn't gain access to. So that person oversaw that.
Are you seeing that trend, or is that. Are those two really kept separate? Now we we're seeing that merge together where you have what we call ACSO, A Chief Security Officer that has both IT security and physical security. The only exception. To that is where there's heavy physical components like utility companies that have nuclear reactors where you're gonna have heavy guards and guns and stuff like that.
That's gonna be kept separate. But in healthcare, in banking and, and, and retail, where those are pretty close. I mean, it's not a huge heavy, you don't have folks running around with . Automatic weapons and things like that. I would say yes. You're merging those together. The, the other trend which you might or might not like to hear 'cause you're a previous CIO, is CIOs are all about availability.
Security is really three things. It's confidentiality, integrity, availability. There's really three components to it. So what we're actually seeing some organizations do is making the CISO the top. And then they have a Chief Confidentiality Officer, a Chief integrity Officer, and a Chief Availability Officer, the CIO.
So we're actually flipping it where instead of the CISO reporting to the CIO, the CIO's reporting to the ciso. Right. But then where does the Chief Digital Officer report in that kinda scenario? T typically they would, they would be that role of the integrity officer, because usually that type of officer is really focused on the digital information, the integrity, the accuracy.
So that would be sort of that tier under those three. So what, what are the tools of a threat hunter? Just outta curiosity. So you're saying, Hey, go out and, you know, identify the threats. Are there tools that they use for that or is just, uh.
I don't know, problem solving and intuition kind of stuff. I, I would say the key tools are a large amounts of energy drink , uh, with high caffeine, no social life and really, really smart. No. Uh, essentially what it is, it's a lot of network monitoring and analytical. So if we, if we just do the basic breakdown of an attack.
I, I know the unique signatures are different, but almost all attacks. This is what they're gonna do. They're gonna break into a system. They're gonna upload code, they're gonna survive a reboot, and they're gonna gain control of that system known as a pivot point. Then from there, they're gonna do lateral movement into the network to get to the next system.
They're gonna do lateral movement until they get to the data, and then once they get to the critical data store or the database, they're then gonna make an outbound encrypted command the control channel back out to the internet, to the adversary to steal the information. So when you're talking about threat hunting, it's network-based threat hunting, and it's host-based threat hunting.
So you're gonna start off with network threat hunting, where you're just gonna have a lot of analytical tools where you're looking for anomalies, you're looking for lateral movement between servers that just doesn't logically make sense, and you're looking for outbound encrypted channels to IP addresses or countries that the traffic normally wouldn't flow.
Then once you see the anomalous network traffic, then you would go in and look at the host and then you would need very good operating system skills to look at that host to say what is running at startup and looking for any anomalous activity on the host itself. Wow. Eric, this has been great. So as the CEO, what, is there anything else that I need to know as I go back?
To my organization, the, assuming you're talking to ACE at this point, I'm gonna go back and have a conversation with my, with my ciso. I'm gonna have a conversation with my CI. Anything else I really need to understand. I, I would say you need to increase. The conversation with your CISO and make sure that they know what you're looking for.
'cause what I've seen in most organizations is ACEO reads the news that they talk to their colleagues and they're concerned about cybersecurity, that they're concerned about it. So they ask for a briefing from the security team. It's a security person that's not strategic, and they come in and they geek out and they talk about all this technology, and the CEO has no clue what they're talking about.
The CEO gets frustrated, gives up, and never talks to 'em again. So to me, the CEO needs to have at least monthly meetings with security. It should be 15 minutes. And here's what the CEO needs to ask for. I want one page and one page only, and four columns. I wanna know what are the risks. The likelihood of occurring, the cost of it occurs and the cost to fix it.
For the top 10 risks for my organization. That's all I want. I want you to present that to me and I wanna do a 15 minute q and a on a monthly basis. The CEO needs to tell the security folks what they're looking for and they need to have regular interaction with them because the more the CEO understands high level, the better they will be able to support the security team in budgeting and resources.
So we had a. The subcommittee of the board that we had to meet with every time they got together, and the chief security officer and myself would go and present to them. One of the odd things about that, to be honest with you, is I would say two thirds of the meeting, we were doing education. We were trying to bring them up to speed on what was going on.
We were sharing articles with them. We were sharing stories with them. And to be honest with you, I'm not even sure they knew what questions to ask us. Does that same format work for a board? Yes. Because when, when you really look at it, and I, I present to a lot of boards and sit on a lot of boards and work with a lot of CEOs, essentially they care about the financial success of the company.
So what they really wanna know are what are the security risks at a high level in English I. Likelihood of occurring cost if it occurs and cost to fix it. That's what they care about. And if you do that correctly, that will be educational 'cause you will be teaching them about new threats that are out there.
But notice all it's focusing on is the financial impact to the business, and that's what boards care about. The problem is way too many security people and even CISOs get into too much detail. About attack vectors, how they work and how they operate. And the board doesn't care about that. That's what they're hiring you for.
They wanna know financial impact. Keep it clean, keep it simple. And you'll notice a lot of effective communication when you're speaking the language of the executives. Do, do, do I need to have somebody on my board who really understands cybersecurity? I am finding that it's helpful. So I sit on one, two. I just got two more, so I sit on seven boards and, and the way it works is before the quarterly board meeting, usually a week or two before I'll have a 90 minute I.
Meeting with the security team, and I'll go geek out. I'll ask all the, I'll get all the information. I'll get all the details, and then I'll tell them, this is what you need to present. And we'll, now they usually come to me with about 20 slides and I whittle it down to three or four, and then they go in and they just whittle it down to the high level information they need in about a 10, 15 minute presentation.
We then go to the board meeting. They give a high level presentation and I look at the rest of the board saying, I met with them in detail. I vetted and validated this information. I feel that these are the two concerns that I have that you should be aware of. This is what we should do. Do you have any other questions?
I. They ask a few questions of me, they trust me. So they know that I did the due diligence. And to me that tends to work a lot better than trying to cover all the security that's needed in front of all the board members. 'cause it takes too long and they don't care. . That's so true. So Eric, this has been great, uh, to close us out.
Tell us about Secure Anchor Consulting and, uh, how can they find out more information about what you, you, you do, and what your, your organization does? Uh, so secure anchor. We're focused on helping organizations build effective strategies, train up CISOs and help organizations be properly secure against the attacks.
I'm very active on social, so if you go to Dr E-R-I-C-C-O-L-E on any social media platform, I actually have a weekly show on YouTube called Life of a ciso. Where I go into a lot of these details every week. And then if you're interested in my company, it's secure-anchor.com. We have a website, and if you'd like to set up a consultation with me, you can also email me directly at eCole@secure-anchor.com.
Fantastic. Well, Eric, thank you. Thank you again for your time. We'll have to, we'll have to stay in touch as seems like. This space is constantly, constantly evolving. The, the, I guess the, the, the more things change, the more things stay the same because ransomware around.
It's just, it's just constant. It's just always there. Yep. I'll just leave you with the final thought is, to me, what I've seen in the last two years is the attacks have been getting less sophisticated because organizations are so reliant on technology. They're getting more sloppy. Amazing. Well, Eric, thanks again.
I appreciate it. My pleasure. Thanks, bill. What a great discussion. If you know of someone that might benefit from our channel from these kinds of discussions, please forward them a note. They can subscribe on our website this week, health.com, or you can go to wherever you listen to podcasts. Apple, Google Overcast, that's what I use, Spotify, Stitcher.
We're out there. You can find us. Go ahead and subscribe today or send a note to someone and have them subscribe. We wanna thank our channel sponsors who are investing in our mission to develop the next generation of health IT leaders. Those are VMware, Hillrom, and Starbridge advisors. Thanks for listening.
That's all for now.