This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

UnHack (the Podcast): Passion Over Paychecks and Hidden Risk with Mary Dickerson and Gordon Groschl

Drex DeFord: I'm Drex Deford, president of Cybersecurity and Risk at this Week, health in the 2 29 Project. Our mission is healthcare transformation powered by community. Welcome to UnHack, where we navigate healthcare security challenges together because cyber safety is patient safety.

Let's get started. I was talking to somebody the other day. The identity is the new perimeter. Came up in the conversation between three or four of us and one of the, one of the folks in the conversation was really adamant about how identity has always been the perimeter that we used to build, kind of these layered defenses.

But the reality was when somebody got through what they were going for was an identity because that's how they blended in and were able to do all the things that, all the bad things that they were gonna do. It's really interesting to take that whole alternate approach. I really like that.

Gordon. You got any thoughts on that? How do you guys think about this?

So all the technologies, everything that we do in security is not combined with our SOC to allow for.

I would say a completely seamless integration of all of our security technologies and making sure that we are applying best practices and principles from all angles, not just from day to day security operations, but also from. How, the way, how the soc actually looks at all of our technologies and how they're helping us protect the organization.

And then we created what I would call identity center of excellence. So we combined actually our identity access management team with our, what we call directory services. So all that's intro, the active directory. D-N-S-D-H-C-P, all of those services are combined with our identity and access management team to basically allow us to drive a holistic strategy around identity.

If you go back a few years, everybody said zero trust is a network segmentation exercise. It is, but it's not, it doesn't end there. And if you don't have a solid real time, I would say decision making engine around identity that overlays all of this, then you still don't have zero trust.

And I think that's where then this awareness was raised that Oh yeah, identity is the new perimeter because that's what really is the glue that keeps everything together. And it's not the network, which has been the predominant thought for the last what. 25, 30 years at this point that, as long as we have to network under control, it's all okay.

We have people in healthcare too, that are in our organizations for 20 or 30 years and work in seven or eight different departments.

And the whole challenge with. Deprovisioning them from resources they used to have and then reprovision them in their new department. All the work with hr. How do you guys deal with that?

Mary Dickerson: We work very closely with HR and we manage, as the identity providers, we manage a lot of those relationships.

One of the challenges being an academic and healthcare organization is the fact that. There are very few identities that are single identities because we have many students that are also, staff. We have many faculty that are also stu. I mean, There's, everyone has multiple roles, and those roles don't fit into easily defined buckets.

You wanted to make sure that you were secure, that you weren't gonna get breached, all these things. And I think we've transitioned to the idea that it's not a matter of if you're going to, have some type of incident, but when, and the key to it from the organization perspective is.

So if a bad. Scenario happens. I also know where to step in to make sure that those services are not impacted and the overall organization doesn't even know that something has happened. So it's really understanding all how the different pieces fit together to get to. Our goal is to continue to provide services regardless of the situation that gets us there.

Drex DeFord: Gordon, it's also, it's not just the identities of the humans. There's a lot of other identities on the network now too that you have to deal with.

Gordon Groschl: Yeah, absolutely. The, I would say non-human identities are definitely a, I would say, emerging threat. And I think threat actors are very much after those because it allows them often enormous amounts of access. Sure.

Drex DeFord: Like service accounts and things like that. Yeah.

Triggering any alerts because it looks like a normal data operation. So having an understanding and inventory of all of your non-human identities, where are they, what are they used for? Limiting their access is actually something that we work on very hard because it is definitely something that scares me a lot in this hyperconnected world that we live in.

SaaS platforms left and right, APIs all over the place and data flying around from one point to another. I think there is a lot of work that is ahead of us and it's created a whole new attack surface that we're now trying to all I would say a control. And like with everything, it all starts with visibility.

If you don't have a good understanding of what's all in your active directory. Yeah. And all the accounts and how they used and what's on your network. If you don't have a good asset inventory that is accurate with clear understanding as to who owns all these different assets and what's their purpose, you're gonna have a very hard time to do all these other things.

Have a clear understanding there of every identity in our inventory, what they are, if it's a privileged account, a non-privileged account, a service account, or other credentials. And then. Then you can start building on top of that. But until then you're gonna struggle. Yeah.

Drex DeFord: We used to think a lot about that sort of inventory as mostly an equipment inventory.

Now it's become an identity inventory. And as Mary kind of alluded to, a lot of it now is really. Knowing and understanding exact exactly how and when those things are connected. How's the neck bone connected to the angle bone? I

Gordon Groschl: know right? In that

Drex DeFord: network, in between the identities. Yeah.

It has gotten better. I think we're still I don't think there, we have reached now the golden, you know, state yet, so to speak, but I think it's not as bad it was even five years ago to get this done.

Mary Dickerson: I think one of the keys to all of this though, is really understanding what is normal.

As far as not only, Gordon, to your point about do you know what all the different. Things that are connecting to your network and all, but what is the behavior that you expect to see from these different things so that you can know when you see something that you're not expecting? And I'll never forget, 20 years ago, I was in a meeting and they were talking about.

It was financial services and all kinds of other industries that were there. And the person from financial services, we were talking about password strength and stuff like that. And he said, oh, we don't care about passwords. And everyone was just like, oh my goodness. Financial things, you, and he goes no.

So he said, we don't care how they get in. We care what they do after they get in. And if it's not normal behavior, then it immediately gets flagged and our fraud team looks at it and everything he said, but. We know what a typical user will do. And now, very soon after that he explained, we know exactly what you will do because we know your behavior.

Is this something that we need to be worried about? And that helps address the insider threat as well. It doesn't matter if you are the legitimate person that owns that account, if you suddenly start doing things that you shouldn't be doing, that should be not typical behavior. For you. And if we can detect that, we can respond to that before other bad things happen.

Gordon Groschl: I think I to talk to my bank because they're constantly confused about my behavior rather than sending me text messages when I'm just trying to pay my hotel bill in California, for example. Clearly they, they're confused about what I'm doing.

Drex DeFord: I've had to have a couple of conversations with my credit card company about how much I travel and how it isn't weird that I actually will be charging something in this city and then charging something in another city.

All of those kinds of things can pile into that. Ugh, you guys are killing me. We, there's so much stuff that we could talk about. I love it. I wanna go to the lightning round because this is also a little bit about folks getting to know some things about you. So you guys ready to do the lightning round?

Sure.

Mary Dickerson: I think I would have to say standing outside the fire by Garth Brooks.

Drex DeFord: I noticed that in your bio and I was like, should I ask about that? Should I not ask about that? So before I go to Gordon with the same lightning round question, Gordon, you can think about this, but, mary is the volunteer firefighter. It feels so in tune to the CISO job. Is there, is part of this you're drawn to that because it's just, that's how you're wired.

Mary Dickerson: It could be. So I was actually a volunteer firefighter long before I got into cybersecurity. And then the joke after that became, at least in my volunteer job, they give me appropriate firefighting gear that they don't, they don't issue to cyber professionals.

And so my husband started first and I decided it sounded like fun, so I did it too, but I didn't wanna only drive the firetruck, so I got certified as a firefighter to do interior firefighting, and I've done it for 25 years. So it's been a lot of fun. It's neat to serve your community and there are an awful lot of parallels between.

Incident response that we do on an emergency management side and incident response that we do on a cyber side. So it's been fun to see the crossover between those two disciplines. They each have their adventures.

Drex DeFord: That's amazing. Hey Gordon, so on your walkup song, I think, is this a question we might have asked you at a 2 29 project Summit?

Did we use the walkup song? I'm gonna ask you, I'm gonna ask you again anyway. What's your walkup song?

Yeah, I like that. you can get stuff done, you can do it. It's a positive song. I would pick that it's, it's a very upbeat song and it's about, and it both, it resonates with me. I've always been somebody who liked a challenge in a personal life or career.

And so don't stop me now is the speaks to me.

Drex DeFord: I think that's a great walkup song. Okay, next question. Maybe this will be the last question. I'm looking at time. I don't wanna run us over. You might know some young people who wanna get into healthcare, cyber. What's your best advice for them and what's the worst advice they'll probably hear from other people?

Gordon, start us off. What's the best advice that you would give them and what's some of the worst advice they'll probably hear from other people?

They reached out to me and said Hey Gordon, I wanna talk to you. I want to go into cyber, but I really don't know, how do I get there? And I asked them, okay, so what do you wanna do in cyber? And they were just like telling me that story about I'm not really sure and, maybe this, that, what do you think?

So you wanna find something that you actually like to do, that you enjoy to do, and that you're passionate about. And then, we can talk about how do you get to that goal, but first, define your goal. Do you wanna be a SOC analyst or do you wanna be. Identity specialist, do you wanna be governance, risk compliance?

Maybe policies and procedures is what excites you, right? But first, figure out what actually excites you, what you're passionate about, and then we can talk about, oh, these are certifications or trainings you can take, right? To build core knowledge, expertise.

Drex DeFord: What's the bad advice? Advice, yeah,

Gordon Groschl: It's all about money, right? Oh, you should become, I don't know, a SOC analyst because there's more money in soc if you work in a managed service and et cetera.

To me that's one of the worst advice that I've ever heard.

Drex DeFord: I think you gotta have a job and you've gotta make a living. But for the people that have been really successful that I've seen, they actually love what they're doing. And they figured that out early on. They got into it and because they were so passionate about it and creative about it, the money came along with the energy and the focus that they put into it.

I like that. That's good. Bad advice. Don't chase the money, chase the passion. Don't. Yeah,

Gordon Groschl: be passionate and about what you're doing and have fun and don't chase the money. The money comes by itself.

Drex DeFord: Yeah. Mary what advice would you give them and what's the most terrible advice you think they'll probably get?

2.5 years doing this because it was listed on the job description, then I shouldn't even apply for the job because clearly I can't do that, and I have to get them to look at it from a different perspective. It's like everything that you've done, every job that you've ever held has led you to be the person that you are today.

And but you have to recognize that yourself first. So when someone says, what can you offer for this position, if you've only looked at I've only ever done this part of what you say you want, so this is the only part that I can do. You're really missing out. You're missing out on not only what you can offer that employer, but what benefit that employer can get from someone that's done different things and has seen things in a different perspective will bring more to that role than they may have even anticipated in the beginning.

Yeah. So I think that the bottom line to that is recognize what overall expertise that you have and then figure out how that fits the job that you want to try to obtain.

Drex DeFord: Yeah, I like that. What's the terrible advice that they're probably going to get?

Mary Dickerson: I think the terrible advice really is if you haven't done this, then you're not qualified.

As Gordon said, it might be that one thing that gives them a whole bunch of excitement to, to go to work and do, but they may self-select out from even applying for that because they haven't already done. Whatever they think that position calls for.

Drex DeFord: Yeah. If you don't ask, the answer is automatically no.

And the other part of that really is the you just, you all of our jobs boil down to, are you a nice person? Can you get along with others? Can you build collaboration? Can you solve problems? Are you really good at solving problems? 'cause there's a lot of problems. If you're good at that, there's a lot of opportunity for you.

So focus on kind of those skills. Absolutely. I like where your head's at, Mary.

Drex DeFord: Yeah.

Gordon Groschl: And this is something that personally aggravates me fun, like fundamentally, how many of you have seen like job postings for entry level positions?

And this speaks to what you're talking about, Mary, where they're saying like, I'm looking for an entry-level security analyst, right? With 10 years of experience. Three certifications and I don't know, ideally a master's degree. And that's not, I know, but the, that's what the expectation is, right? And when we then think about the talent shortage, I think we're, in many ways.

Organizations are their own worst enemy. You're not giving people a chance.

Drex DeFord: It's like you almost don't really wanna hire that position.

Right? There is a lot of value in coming from other areas. And having a baseline knowledge. Somebody who has an interest in computers maybe did some entry level courses or certifications, can't be a super awesome junior analyst that can really, take a totally different perspective on things than let's say somebody that's been doing this for 15 years.

And I've seen this in other, in our organizations, as a matter of fact, where we. Really started hiring college grads and sometimes even high school grads into junior positions. And they brought a completely different level of energy and a different perspective to things that was that challenged everything that we were doing in that space, right?

Or the topic that we were trying to accomplish. And it's really refreshing and I feel like we're making this way too hard on ourselves as a country. When we talk about cybersecurity talent,

Are not as well versed in what cybersecurity could be. And we deal with a lot of the we require a bachelor's degree in computer science and it's like that's a small part of what we do as part of cybersecurity because we've got policies, we've got things that are much more on the art side to some of the things that we do.

Our awareness campaigns are marketing. And so when you look at all those different pieces, the idea that the only degree that works for cyber. Is a, bachelor of science, it's computer science and something like that. And to your point, Gordon, do you even really need a degree now? If you have expertise and you have certifications that show, you know on the job, practical stuff, do you really need that piece of paper that says that you graduated with a certain body of knowledge?

And so I think to point. Cybersecurity is a very complex and continuing to evolve field, and we have to look at anyone in this space as a potential person with whatever expertise they have and not automatically rule out people that don't fit a certain cut cookie cutter image that isn't even applicable anymore.

Drex DeFord: I don't even know what to say after that. We, there's so much, like I said earlier, there's so many things we could talk about. I hope you guys will come back. I'd love to have you both back and we could dive into all the other things we didn't talk about today. I really appreciate you being on the show today, Mary Gordon.

Mary Dickerson: Thanks, Drex. This has been, thanks, Drex, a fun conversation.

Gordon Groschl: I know it's a fun, fun way to ease into the afternoon. So thanks, Drex.

Drex DeFord: Thanks for joining on UnHack. Remember, we're not alone in this. Every healthcare leader needs a community to lean on and learn from. Join our community at this week, health.com/subscribe and share this not only with your security crew, but with your entire leadership team and staff.

Together we are stronger.