Understanding Cloud from a CISO Perspective
Episode 4838th February 2022 • This Week Health: Conference • This Week Health
00:00:00 00:13:34

Share Episode


Thanks for joining us. My name is Bill Russell. I'm a former CIO for a 16 hospital system and creator of This Week in Health IT. 📍 A channel dedicated to keeping health it staff current and 📍 engaged.

Welcome to our hybrid cloud briefing. I'm excited to get into this topic today. We're going to take a look at understanding cloud from a CISO perspective. Chief Information Security Officer. We're joined by Doug McMillan, former CISO and current Director of Healthcare for Sirius Healthcare. The podcast series is going to culminate in an excellent panel discussion talking about who owns cloud strategy in your organization and how to effectively build out a strategy. Check the description box below for the registration link to learn more about our upcoming webinar. We want to thank Microsoft and VMware for making this content possible. Now onto the 📍 show.

Today, we're joined by Doug McMillan, the director for Sirius Healthcare who focuses on cybersecurity and for cloud computing. And we're going to have a conversation about cloud computing. Doug, welcome to the show.

Thank you. Nice to be here.

Looking forward to the conversation. We're going to, we're going to break cloud down into a couple of topics over the next couple of shows.

The first one, we're just going to talk about what is cloud and what it's about, but let's start with this. Give us a little of your background and your experience with cloud computing.

Yeah, sure. As you mentioned, Director of Healthcare, I've been with Sirius now for a couple of months. I come as a former CISO and CTO for Cone Health in Greensboro, North Carolina.

which ended up culminating in:

Wow. That's fantastic. We actually had you on the show before where we talked about the fact that you guys were able to do DR in the cloud with epic. And I think that was a major undertaking for you guys and pretty exciting work. Let's step back a little bit before we get there and talk about what is cloud and why does it matter to healthcare?

Yeah. So I speak with a lot of leaders on this and you know, what is cloud? I tried to boil it down to just make it very simple. It's really just any compute and storage environment that's really being served up. I think the big differences is when you speak with leaders, especially like CIOs and CFOs, a lot of the times they don't really understand the difference between the private cloud and the public cloud.

And I would say in terms of our IT organizations, we tend to misuse the word cloud. So when you generally hear someone say cloud, they're really probably referring to public cloud. But in general, when you look across all of the private versus public, you have things like on prem which is your private clouds.

You have colos, vendor hosted and then you get into infrastructure as a service platform, as a service and software as a service. But again, most people are really striving to get further to the right-hand side of that target, which is more on the infrastructure as a service platform, as a service and software as a service.

Yeah, it's interesting. We talk about moving up the stack and literally when we're saying that as you're a CTO, I'm a former CTO. When we're saying that we actually see stacks and we see different layers of that stack. And when we're talking about cloud, we're talking about the data center, the network stores, the physical servers, the virtualization environment, the OS, the applications, and the, data layer.

So talk about that migration. When we're on prem, obviously all those things, that entire stack is ours, but as we move across, what things move into the cloud? Do we move it all into the cloud or different pieces as we move along that stack?

Yeah. So generally as you're moving from left to right, most people have seen those types of I'll say graphics but left or right.

You're really moving out of your data center and away from the physical based hardware and a little bit further up that stack, which is moving into things. It is more around just software. So as you think of our on prem, obviously data center, the network, the storage area network, some of the physical services that you have there, your virtual environment with them.

As you start to shift to colo, let's say the data center, right. You know, that kind of drops off and you start to still take care of the others. As you moved to vendor hosted, then things like some of the physical pieces start to move off. But really, as you shift over into that, I and paths, it's really only hitting operating system level and up. Obviously networking from just, you know, software defined networking that is still under your control as you move into your public cloud instances. But it's really mostly operating system and above, which is what you're really looking for.

And so when we moved to something like like a Workday or a Salesforce, that's all the way over on the one end. We don't know what servers we're running on.

We don't know what the operating system is. Virtuals. We don't know any of that stuff. That's all being handled. What we really are worried about is the interface and the data itself. We're just creating experiences for end users. Whereas when you go all the way back to the on-prem, I mean, we're doing, we're doing it all. I mean, we're doing the, we're spinning up the servers, the virtualization environment, whatnot. And so talk about what are some of the benefits that come out of moving to the cloud for healthcare?

Yeah. So, immediately the things that jump out for me are scalability and agility. So you know, anyone who's had a large data center environment I think everyone's got into that, I'll say complicated upgrade path where you're looking at a large scale refresh but between your VM environment, between your storage environment, between your compute environment, everything has to be at this pristine level of matrix, you know, so you're doing all of these cross walks to say you have to be at this certain firmware version, this certain operating system version, this certain VM version.

So that becomes really a nightmare. So as you start to shift into that IAS and paths and fast, you're really giving up those heartaches and then taking your staff from that lower level work and moving them into something that I would say is a little bit more strategic for the organization. Which is really around the data, the integrations in that experience.

One of the things as we move to the cloud, people are always talking about the cost. But one of the nice things about the cost of the cloud is it's really defined. Isn't it? I mean, if you spin something up, you're going to pay for it. If you spin it down, you're gonna stop paying for it.

Is that another aspect that CFOs tend to like, or tend to gravitate towards?

They definitely do. And what I would say is, you know, just based off some experience, I think DR, you know, that's obviously from a hybrid DR, the huge cost savings because a lot of organizations have put a lot of capital based infrastructure into a DR data center. That really, I would say on I, on average, it is just sitting there. It's really not being used. Now obviously some organizations have tried to move down, maybe an active, active data center but it's still a large footprint that is sitting there and unused. When you start to look at moving out to the cloud and let's say, you know, turning it on and off as you're using it yet, you're saving, you know, just tons of money over time.

And I think one thing that we all have to remember you can spend down compute and not pay for, you're still paying for the storage, right? So you still got the storage costs because obviously that image is sitting in the cloud and you're still paying for that. But still when you put it as a combined and let's say, do a five-year TCO from an on-prem to a cloud environment, the cloud is going to save you some money from a DR perspective.

When you start looking at production, it's not necessarily going to be a cost savings, but again, you can have some optimizations and that's where each organization has to have their strategy to say, is it really worth moving that workload, knowing that maybe the cost is more expensive to run in the cloud. But you still gain the agility and flexibility that you don't have on prem.

Let's dive into the agility a little bit. You know, we just came through the pandemic and one of the things I've heard over and over again is if it weren't for the cloud, we would have been in so much trouble. We had to spin up so many things and do those things. Where just the agility come from in moving to the cloud?

Yeah. And I'll use a couple of examples that, that I had during COVID. So first obviously there was the whole telehealth boom. Right? So obviously so many digital services were being rolled out and they still had some sort of backend infrastructure with compute and storage that was required on our side.

So we could easily bend those things up and down inside of an Azure without having to go through the heartache of procurement. And I think that's where, as it was mentioned before that matrix of upgrades, I mean, procurement, especially even with COVID has become just extremely slow. I mean, we're seeing chipsets shortages that is dramatically impacting how fast you can get hardware into your data center.

So as you start looking at things like cloud services, you can actually spin those up, but you're not really waiting on that procurement and you can really just start to take advantage of them. The other major use case that we had during COVID was we had a very large amount of our workforce shift from on-prem out to remote work.

Twofold there. One thing we started immediately serving up virtual desktop sessions using Citrix as well as WPD. We took advantage of both out of Azure and give that ability to remote into our work environment. And then the second thing is we used a couple of different software based VPN for our remote staff.

And we used two different services inside of Azure to be able to dynamically scale that environment without having to worry about purchasing something in our data center.

I'll tell you Doug. The other thing that was always impressive to me about the cloud was the automation and the programmability. My IT team was always coming in and really shocking me with, Hey, look, what we can do.

We can spin up, you know, 25 servers, a complete cluster that does all these, these functions. And all we have to do is hit this one button and it all gets, gets stood up. And so even from the IT side, there's a, there's a fair amount of automation that could be offloaded.

Yes, sir. And to me, those are the soft costs that, and I'll be honest sometimes it's a little hard to sell soft costs to your financial teams. But it really is there. And it really does allow you to focus on things that are way more strategic in nature. But some of the arguments I've had with some CFOs in the past is it's not really a cost savings.

It's just, you're moving somebody to work on something else. So you don't save money, but you definitely save time and allow them to do more work.

Yeah. But the thing I'm telling people right now is we have this significant competition for labor and to the extent that we can start getting our people working on the really fun things, the really exciting things, and a lot less on the, Hey, can you go down into that data center, pick up that server and put it into the rack?

I think we're going to be able to attract people to just more dynamic work as we move forward. Let me close this one out with this on security. So security used to be one of the main reasons that people would give as, Hey, we're not moving to the cloud security. What's the current state of that? How should we be thinking about cloud security?

Yeah. So definitely it is a concern and it's a valid concern because I think we've all seen the headlines where maybe someone made a misconfiguration and all of a sudden that has been exposed and it could be, you know, PII or PHi, and now you end up having to report a breach.

So the concern is valid. What I would say is over time, seeing how cloud controls have evolved. And seeing how that you can use let's say, security platforms to kind of monitor and ensure that things like that are not happening. I think the risk of them happening is going lower and lower and lower.

So what I try to tell CISOs, as I've talked to them over time is, you should view the cloud as the solution, not the problem. Because again, cloud teams have a lot of the same problems that your traditional infrastructure teams have, which is you're operating with not enough staff and doing way too much.

So again, if you're thinking of cloud and you're thinking of dev ops, well add in DevSecOps, and now all of a sudden you start to be able to do more with less. And that's again, to your point of staff shortages. That's the key in this time.

Absolutely. Doug, thanks for this great introduction into the 📍 cloud.

What a great discussion. We want to thank our sponsors, Microsoft and VMware, who are 📍 investing in our mission to develop the next generation of health leaders. Thanks for listening. That's all for now. 📍



More from YouTube