This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

UnHack (the Podcast): Your Vulnerability Scanner Is Lying to You with Jack Kufahl & Gregory Garneau

Jack Kufahl: So how do you take extraordinary people and allow them to be extraordinary? What something has to give.

Drex DeFord: I'm Drex Deford, president of Cybersecurity and Risk at this Week, health in the 2 29 Project. Our mission is healthcare transformation powered by community. Welcome to UnHack, where we navigate healthcare security challenges together because cyber safety is patient safety.

Let's get started.

Hey everyone, I'm Drex. So this is UNH Hacked, the podcast. Welcome. I have a couple of great guests today that I have known for a while, gotten to know better even recently Jack from Michigan Medicine and, and Greg from HSHS.

How you doing guys? Good to see you here.

Jack Kufahl: Good. Happy to be here. Thank you. Hi, good morning.

But at the summit you sort of talked about your teams and building the team and. Security planning efforts in a way that had long-term viability. Something that if for some example, as an example, if for some reason you won the lottery and left that it wouldn't be the kind of thing where the whole program is kind of wrapped around you and wrapped around your personality.

Talk to me about that. Do I have that, do I remember that kind of right or,

Jack Kufahl: That's in the direction It was really. And I, I don't know what my first thought was becoming the CISO here. I wonder about that some days. But it was this idea that the Michigan medicine didn't really have a formal security program.

Mm-hmm. And bosses come and go and department names, change, all, all that kind of stuff. And what I really was struck by, as I was getting to know by then, very new ciso, friends and family, was the turnover. And I think that's still happening. Now, there's, there's all kinds of different data out there, but it's, it's a couple years, right?

Healthcare CISO is expected to last a couple years you know, before they die from stress or leave the, leave, whatever company they're working for, you know? So I was looking at that. That wasn't my plan. And, you know, I've been here for 10 years. But I still think about that because there were a number of people in my immediate CISO circle that were.

Sort of always talking about, you know, why they left and just career and sort of three beer conversations and, and those types of things. But there was this remorse that they had. It's like, Hey, we built a program and as soon as I left it fell apart. Or I built a really great program and I'm taking all my people with me to the new place.

So that's what was kind of based out of it. I didn't wanna. Build something just to have whoever came in next to say, well, that last guy didn't know what he was doing, not disputing that. Therefore we had to go back to square one, therefore we had to go back to square one and. That shaped the things I bought, how I bought them, when I bought them, who I hired, why I hired, and that really fed into like the talent pipeline idea.

Like, what do you wanna leave behind? You wanna leave this idea behind that? It's a place where you grow careers. It's a place where you can have good work life balance and those types of things. Not because it's a moral imperative, I think it is, but it's something that I was uniquely positioned to do.

Right. And the first Michigan medicine ciso, I won't be the last. But that's the type of stuff it's kinda reminds me like of you drive by your old house Yeah. And you know, if it's gone to rack and ruin. It's no skin off your nose, but it still kind of feels bad. Yeah. Or if they're doing really nice things with it, it's like, oh, they took down that tree, or they fixed that.

You know, if it's still going, there's a little bit of shared pride that you did something more right

Drex DeFord: than that. I was part of that. Yeah. There's this thing too, you know. I've kind of always subscribed to this idea that like, wherever you go, and it doesn't matter what it is, it doesn't matter if it's the, you know, returning the cart in the parking lot or wiping down the bathroom.

Jack Kufahl: Give it a chance

Drex DeFord: in the long run. Yeah. And

Jack Kufahl: there's no promises, right?

In cybersecurity or healthcare it, but you know, you gotta give it a chance.

Drex DeFord: Hey, Greg. Same. I mean, same kind of question. How are you building teams? Where do you find folks? It's for cybersecurity.

Gregory Garneau: Yeah it's interesting you know, we Jack, obviously the first CSO Michigan Medicine, I was, I came into the program into the system at HSHS after an event, after a cyber event. Right, right. We were, they wanted specifically to build. A world-class cyber organization and thankfully, I've had some experience doing that at my previous health system.

A program that they'd never had previously, right? Mm-hmm. And in support of the mission, we understood what happens when bad days occur, and we didn't want. To have that again, it's never, you know, we never can say it's never going to happen again. But we needed a fighting chance. So we had an opportunity. I was supported by leadership, supported by colleagues to build that program.

And when you look at, what do you do with staff, like the staffing, we didn't, we didn't have a program really to speak of. We had some really dedicated people on the team, but there was really no overall direction, right? There was, it's kind of a rudderless ship. We came in and we started from, you know, the basics and this week or next week, I'll celebrate my two year anniversary here.

Ultimately, what we're here to do is serve patients, right? Our job is to make sure that we support those who support patients in a safe environment, and that's what we're here to do on the cyber side. So I was able to find some folks who had worked with me in the past who wanted to come and join the mission.

Drex DeFord: Mm-hmm.

Gregory Garneau: I also was able to bring. Former interns of mine and we talked, Jack talked about the pipeline, right? Interns of mine who worked for me when they were in college, they'd moved off to do other things in cyber, you know, entry level positions and, and doing some of that other stuff. And I, I called 'em up.

Mm-hmm. How can you ensure that if you go, you have the program in place, people, process, and technology to continue to support the business? And what we've spent a lot of time also on the technology side is finding solutions that extend our capabilities without actually having to hire new FTE.

And that's a huge component, right, of this whole battle we have on finding people.

But you know, it's the same vibe for the past decade. So, so what are we doing? And you know, part of, and I'm not saying I'm immune to those pressures, being part of the University of Michigan, we probably have a different opportunity for talent retention. 'cause it's such a stable institution, right?

So, I mean. You know, nothing's like recession proof and nothing's, anything like that. But as far as industry goes, universities are pretty stable, right? Even beyond healthcare being pretty stable. So when I think about this talent pipeline issue, you think about not just that how do you grow, how do you bring in, but how do you change your department and what capabilities you're looking for to match that.

Ethos out there that the more you do things standard, the more sustainable you're gonna be. And I get that right. The whole repeatability.

Gregory Garneau: Mm-hmm.

Jack Kufahl: I think that might be what's wrong, or at least partially wrong with cybersecurity talent. Because cybersecurity talent has a lot of extraordinary people available from both a behavior and a skillset point of view.

And if you try to take extraordinary people and then put them into ordinary containers, put 'em in

Drex DeFord: a lane and say, stay in your lane. There's so

Jack Kufahl: much

Drex DeFord: overlap and inner

Jack Kufahl: connection

Drex DeFord: between the jobs.

Jack Kufahl: So how do you take extraordinary people and allow them to be extraordinary? What something has to give.

I think extraordinary people, an extraordinary person only makes your program better. Maybe not in the way you predicted, or maybe not in the way that the spreadsheet said it would. And if you can do that, you're creating an environment where you'll get sustainability and longevity. But I think nothing breaks that more than take an extraordinary person.

Who either overtly or covertly understand they're extraordinary and say, but you're not doing the ordinary stuff well enough. If anything, the ordinary stuff that an extraordinary person may not be, be stellar at great spaces for managed service providers and outsourcing or near sourcing, you know, type ideas, right?

Drex DeFord: Or AI and agents.

Jack Kufahl: There's hope, right? There's hope. There's hope with the ai. And if somebody can tell me what's real and what's not in ai, I'll, you know, like. I got a spot for you,

He hired some interns he'd worked with before. My question is really aimed at, are you hiring people internally from other departments in the health system sometimes. Or you and the university?

Jack Kufahl: , If there is something to be proud of in that space, I'm proud at how, how in, in, in concisely I can answer that question. Um, I've got folks on my staff who are joining who have had very strong and established multi-decade careers in hospital administration, and they wanted to get into cybersecurity as second career. Type thing and are working the pipeline there. I've got people coming in from junior positions out in it, you know, service desk, desktop support system administration, and like the stability that not just like the university provides, but also cybersecurity.

And that creates problems, right? Because you got. All sorts of different people with different ideas and different, you know, diversity of, you know, cognitive diversity and demographic diversity coming together and trying to figure out how to, you know, stop Vladimir. And you know, that's a special skillset, but I like watching that sausage being made.

So it may not be the most short term efficient model, but over the course of time. And back to that, what do you leave behind? I hope that sticks around, right? That idea that there isn't. Single place you recruit from, or a single pipeline. It's all those things. And the more flexible you are, when you really start looking at it through that lens, everybody's extraordinary at something.

Gregory Garneau: Mm-hmm.

But it's not anything. I think you could, package up and market like to A-C-H-R-O and say, this is the way you do talent recruitment. I think it might be something somewhat special to cybersecurity. And if you allow it and if you're patient I think we're really seeing payoffs in that space.

Gregory Garneau: I think one of the things that I've been seeing for a number of years the notion of, you know, you've gotta think outside the box to find talent, and well, that's true, but there's no box anymore. You just have to look right. All sorts of interesting, unique places. Attitude, acumen, and curiosity, if you have curiosity,

Jack Kufahl: is super important.

How people are curious is

Finding some of those people who are kind of outliers, who you, you know, they have those three qualities and you bring them in and they turn into just absolute rock stars with the right mentorship and coaching from the other teams. It's other team members. It really is. Um. Fascinating to see people grow and become engaged. That whole notion of being putting a really smart person in an ordinary job where they're just mailing it in, checking the box every day, the disengagement. Over time just turns that person into way less of themselves. They're not willing to give back to the organization because they're not being challenged and engaged every day.

I think you're gonna excel at that. And then, it works most of the time, but it doesn't work all the time. So then you, you know, make course corrections and get back to it. But yeah, those are the qualities that we really look for in any candidate who shows up.

Jack Kufahl: The curiosity one is essential.

And one of my favorite questions to ask new employees or prospective employees is, how do you like to learn? Because. Whatever cybersecurity is, it's not fixed, which means we're in a constant learning pattern. So the question doesn't have a right or wrong answer or preferred answer. It's does that person know how they learn best or

Drex DeFord: mm-hmm.

A lot of people work, you know, work really well with pairing or work well with coaching and mentoring or professional or, you know, are very visual or very booky and it's, it's like, hey, all those are all right answers. But are you cognizant of how you like to learn because that leads like a breadcrumb logical trail back to, are you curious?

Right. It's, it's in science, nobody screams Eureka. But people do say, huh, that's weird. And they go one layer deeper and that curiosity just keeps driving. And you know, I firm believe, everything with AI and everything with managed service providers and everything with collaborative, that's all important.

But cybersecurity and healthcare is because of the complexity of the workflows, complexity of the environment. It's a human job. So, and it's, almost in an unknowable place, right? Healthcare 'cause it's so complex and it's changing and it's so intricate and it's so storied. So if you're not curious.

Drex DeFord: I think it's interesting that curiosity piece.

So, you know, and not just curiosity, but the other, they're good problem solvers and they work well with other people and those kinds of generic. Great skills that anyone you would want to have on your team should have. You just teach 'em the cybersecurity stuff they need after that. They come in sort of preset with this stuff and then you teach 'em the cyber stuff.

Jack Kufahl: Yeah, I think cyber's pretty teachable. And over the past 10 years, I think there's a lot more help in that space. I think a lot of the vendors have stepped up. And the vendors that I'm really interested are not the ones that are just selling their wares, but want their stuff used well.

Drex DeFord: Mm-hmm.

Drex DeFord: in some ways, the vendors are actually teaching your teams how to be better.

Jack Kufahl: I hope so too. to me, what a strategic vendor is isn't the cost of the invoice. It's like, oh, if you give vendor a a million dollars, they must be strategic. Actually, some of our biggest bills or some of our least strategic vendors, becuase what I'm looking for out of a strategic vendor is engagement and some.

you know Stakeholdership and how well our team is doing and how well their products are working the way they want them to be successful.

And when you start looking at it like that, I can look at my OPEX general ledger and draw a line straight through the middle and say, oh, those are the vendors that are strategic.

They're in the trench with me, and they. This is their contribution versus the ones I'm just paying. Right. I got, I got nothing against the ones that I'm just paying. That's, but that's just buying stuff. And I tell you

Gregory Garneau: right

Jack Kufahl: when that, when the interesting vendor, you know, startup community is disrupting that and they've got something better.

Drex DeFord: Greg, I know you've talked about this too, the difference between kind of partners and vendors or, partners and kind of commodity delivery vendors.

So how you think the same way you think in the same

Gregory Garneau: Absolutely. And today, as Jack talked about, we have so many disruptive startups in the cyber world. I call them disruptors because they're doing really amazing things. That you can look at and say, okay, so let's take a look at your tech.

What does it do for us? But what kind of partner are you gonna be? How are you gonna help me support my mission? Right? Because ultimately I'm bringing in your tech and your solution to solve our problems, which is securing a healthcare environment, right?

Jack Kufahl: Hmm.

Gregory Garneau: To Jack's point, I can tell you we have.

And to Jack's point, the vendors are starting, or they've been doing it for a while but the, the notion of having the resources for your team to get better at the platforms and encouraging. Them to take the, you know, the online universities or whatever they're calling them these days to help upskill your team.

Because to Jack's point earlier, this is constant evolution. You are having to learn. You're having to. Look at problems differently and ways to solve them differently. And the vendors, the really good partners are helping your teams upskill and do that. And I look for that. And that goes a long way for us.

Jack Kufahl: And, that was another one of those data points in that workforce study document that I keyed on, and that it was later in the study and there was a piece of data there where you know, there was, it was a, Hey, what, you know, how, how do you train or, you know, what would be more meaningful?

And it was part of an engagement and burnout. And I think it was one of the second ones that said. The second most, noted one in the survey, it was something around the lines of, I don't have enough time to learn the tools. Right. And you know that's true. So like when do we mostly train people on tools?

It's like, well, when we're installing something or when we're buying a new module, things like that. And if you think about it, well that's happening all the time everywhere. And that's work. So how are we baking into our 37.5 hours a week of individuals, what is that training time? What's, what do they want?

You know, juniors to seniors and seniors to leads and so forth and lose 'em or something like that. But the more you support somebody's career, the more they're going to be interested in staying in that environment. Right, and if they leave, then they're leaving for the good reason, right? People do leave the organization, right?

We have really good retention, we have really good employee engagement. All those types of things, we don't pay the best, right? We don't pay the best in southeast Michigan. We pay right around the 50th percentile pretty consistently, so we could be out-priced, but I think people tend to stay because of variety and because of that career.

And I think that goes a long. Long way, and as a group of CISOs and leaders and people interested in developing the overall talent pool, how do we make that time and not have it be a burden? You know, bake it into the, the work time. So you don't have 37.5 hours of a vulnerability analyst.

You've got 30 hours of a vulnerability analyst because this professional training is work, and if you prioritize it, everybody wins. Everybody benefits. The tools are used better, the talent's used better, and you're a better boss for it.

Drex DeFord: I think as you, implement a new tool to, well, you know, we all know maybe you, you learn 50% of what that tool can do.

The reason I really love staying here, one of the reasons is that when I go have beers with my friends on Friday night, I've always got the best and most interesting stories about the work that I'm doing.

Jack Kufahl: Right? That was the one thing that surprised me with exit interviews. It's like, oh, you know.

What did you like? What did you not like? Why are you leaving? Tho those types of typical questions and a theme emerged. It's like, oh, I stay 'cause I really like the variety.

Drex DeFord: Yeah,

Jack Kufahl: and you know, that gets back to that don't put extraordinary people in these static roles because that will reduce the opportunity for variety and there's a lot of grind.

Cybersecurity. I mean, God bless people doing third party risk management. It is a grind. Right? So how do you, how do you figure out how to de grind? Right? And that's, yeah, that's a that's time that you know what a vendor ain't gonna help you with. You have to sit down and figure that out and work with your other CISO leaders and leaders outside of security.

Gregory Garneau: I like the idea. I like the idea. And this just goes to a theory of how do we keep people engaged? Let your teams individual contributors, engineers, analysts. Architects own it, right? So you are running threatened vulnerability management. You may not be a manager or a director but I've entrusted you as the senior to run it.

And you get to make decisions. You get to own it. And down to the brand new analysts who we bring on the juniors. Let them have some skin in the game. Let them feel like they, their work matters and they actually have ownership of something and that I have found to be incredibly valuable.

Jack Kufahl: A lot of my, my team probably gets really annoyed at this, but, you know, I say a lot of the same things over and over again, not because it's a great trick, right? If you can just say the same thing, you get paid twice. But it's, a lot of leadership is repeating yourself.

When we think about, what is a driving force in satisfaction for, at least the people that I think work really well at Michigan Medicine is this idea of autonomy and mastery. Right, because healthcare and even academic medicine beyond that is a, you know, it's a bureaucratic organism, right? There are layers and there's, I I, one of the things I say is everyone's middle management, right?

You know, so if you're thinking about progressing your career, is it that you wanna be a middle manager? Or is it that you want autonomy and master? Do you wanna be a leader of something? And you know what? Legit, some people wanna be managers, and often those people make the best managers like management as the craft, not as the consequence.

The only path to that isn't how many time sheets do you have to fill out? How many employee valves do you have to do, right? That's the management piece, right? I love people who do it well. It's pretty rare to find people who are doing like the HR stuff, well, inside it, let alone cybersecurity, right?

That's sort of the leadership tax in a lot of places. And I think that also hurts retention, right? If you've got bad management, if you've got bad middle management, bad, supervisors, leads, if they're, that's what causes people to leave improving their. That causes a lot of burnout, right?

And, you know, it shouldn't be, and I'm a living example of that. The person who knows the most shouldn't necessarily be the one in charge. You've gotta have an aptitude that, that, in, that you're curious about that yourself, that you want autonomy and mastery around your management and leadership capability.

If you don't want that, that, boy, I would recommend not getting into management inside of it. Healthcare.

Jack Kufahl: Drax, you're just kind of recording what Greg and I do anyways, what we call up each other. Right,

Gregory Garneau: right. I mean,

Drex DeFord: I love that. So this is, this is your, regular weekly conversation or monthly conversation.

I just happen to be, in the waiting room. You're just kind of

Jack Kufahl: there, man.

Gregory Garneau: Yeah. You're there buddy.

Drex DeFord: This is great. Tell me one thing you've changed your mind about recently.

Jack Kufahl: That's a tough question. Is it, it's something that I change my mind about perpetually. It's one of these things that I have to keep reminding myself about.

'cause it's, and it gets back to this, there's a right and wrong way, you know, sort of thing. And I have to constantly remind myself there's no limit to the number of right ways of doing something. And if you're lucky enough to know there's an absolute wrong way. You know, great. But that's just as rare.

You know, I had somebody on my staff who's just starting out in a leadership role. And, you know, she asked a very interesting question. She said something to the effect of, Hey, would you let me know if I'm going in a direction that you weren't going? And we're doing some, she's taking some stuff over from me.

And the more that I can do that, 'cause you know my department's around 80, 90 people, but I don't have a direct reporting relationship with 80, 90 people. So how do you like express that sentiment? It has to be. Emphatic with the people that directly report to you, and you just have to keep talking about it.

It's pretty dumb and we gotta do it. And I'm not saying that there isn't good data in there, and I'm not saying don't scan your vulnerabilities, but you know, there's also,

Drex DeFord: that's another one of those, like more than one way to skin a cat.

Jack Kufahl: There is. Mm-hmm. get a sticky note. Figure out how many hours and how many people you're putting into vulnerability scanning.

But then be honest if yourself, how many of those people are actually. Pushing tickets and just trying to make the ticketing system work or the, you know, the integrations work. And then start thinking about how could I redeploy that effort towards taking whatever the vulnerability scanner puts out and starting to put it through a thread interface, right?

And really not worrying about the policy of, if it's a 10, if it's 9.9, you do this. If it's a 9.7 you do that, that this has do. All the good dimensions are in are in threat intel. And if you're not looking at threat intel. You should do it. It is not a hood ornament for rich health systems.

Gregory Garneau: never gonna get there. And everybody can afford H IEC and their threat intel, right?

In the healthcare space, you should be ingested.

Jack Kufahl: There's resources out there and there's also people in the community. So it's like, I don't know what threat intel is. There's communities and we're all trying to figure this out. I don't think anybody's got it figured out, but healthcare's figuring it out and there's a good community around it, but the faster you can start putting anything, if you've got $5, put a dollar towards threat intel.

Just whatever you can do, just start investing in threat intel using threat as a prioritization engine.

Drex DeFord: I mean, I think it changes. It's the, it's a lot of, this is the maturity part of it too, right? Instead of taller castle walls and deeper, wider moats, we're gonna patch all our vulnerabilities and that's gonna keep us safe.

It really is sort of the reality of like, we can work really, really hard at that, and there's a whole bunch of things that are still coming at us that we don't really know about. So, threat intel and,

Jack Kufahl: well, and you'll just. You'll have no partnership in that, right? Because it isn't made of dumb dumbs.

And what you've done is you've just spent an incredible amount of time and effort. And if you're not conscious enough to say, yeah, she's right, that's not the, problem you go to Every time we've gone to another IT team with threat and we've explained our model, there's been zero friction.

I mean, it's just like, yeah, we agree that is a real problem. And more times than not, they come back and say, and we know that's a problem, and we could really use your help to get through the, you know, the bureaucracy, the politics, you know, if you need, you need some money or whatever. Right. Type thing.

Gregory Garneau: It's the exposure management stuff that we've

Jack Kufahl: Right, right. That's what they call it.

Gregory Garneau: Right? It's it. Okay, so we'll, go down the threat and vulnerability road for another 30 seconds.

Drex DeFord: Okay.

You know, the tens and the nines and the eights. Are those really exploitable? Are they a Kev? Right? Are they part of the Kev known exploitable vulnerabilities? Do they run in run time? You know, all the things like the worst of the worst. Those are the ones you go after. And to Jack's point, once you do that, then you can say, well, we used to have.

30 people running around patching. Well, we've been able to reduce the number of FTEs institutionally on the IT side, on the cyber side, who are engaged in this exercise. So they can go off and support the mission in other ways. But you're still focused on getting rid of the most critical and the highest vulnerabilities that we know.

Will impact you.

Drex DeFord: Mm-hmm.

Jack Kufahl: That's where we're at, right? I forget what the words are, but that's.

Drex DeFord: I love it. You guys, you guys have effectively taken a lightning round question and turned it into another whole show, so we'll

Gregory Garneau: do that. Yeah, that happens.

Drex DeFord: Hey Jack, Greg, thanks for show today.

Gregory Garneau: Happens when we get bourbon in us?

Jack Kufahl: Yeah.

Gregory Garneau: Oh,

Drex DeFord: that is soon. We'll figure that out. Jack and Greg, thank you guys so much for being on the show. I really appreciate it. I hope I get to see, I know I get to see Jack soon. Hopefully I get to see you too Greg, really

Gregory Garneau: soon. Yes, we'll work on it. Thanks, Jack.

Jack Kufahl: Thanks.

Drex DeFord: Thanks for joining on UnHack. Remember, we're not alone in this. Every healthcare leader needs a community to lean on and learn from. Join our community at this week, health.com/subscribe and share this not only with your security crew, but with your entire leadership team and staff.

Together we are stronger.