Artwork for podcast The Cybersecurity Readiness Podcast Series
Cybersecurity is Patient Safety
Episode 1324th November 2021 • The Cybersecurity Readiness Podcast Series • Dr. Dave Chatterjee
00:00:00 00:42:15

Share Episode

Shownotes

"Cybersecurity is patient safety and patient safety is cybersecurity," is how Stoddard Manikin, Chief Information Security Officer, Children's Healthcare of Atlanta, described the significance of cybersecurity readiness in the healthcare sector. Speaking with exceptional clarity and eloquence, Stoddard traced the evolution of the cybersecurity threat landscape and governance approaches, before discussing in detail what it takes to succeed as a modern CISO.

To access and download the entire podcast summary with discussion highlights --

https://www.dchatte.com/episode-13-cybersecurity-is-patient-safety/


Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast

Please subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.

Connect with Dr. Chatterjee on these platforms:

LinkedIn: https://www.linkedin.com/in/dchatte/

Website: https://dchatte.com/

Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

Transcripts

Introducer:

Welcome to the Cybersecurity Readiness Podcast

Introducer:

Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of

Cybersecurity Readiness:

A Holistic and High-Performance

Cybersecurity Readiness:

Approach by SAGE publishing. He has been studying cybersecurity

Cybersecurity Readiness:

for over a decade, authored and edited scholarly papers,

Cybersecurity Readiness:

delivered talks, conducted webinars, consulted with

Cybersecurity Readiness:

companies, and served on a cybersecurity SWAT team with

Cybersecurity Readiness:

Chief Information Security officers. Dr. Chatterjee is an

Cybersecurity Readiness:

Associate Professor of Management Information Systems

Cybersecurity Readiness:

at the Terry College of Business, the University of

Cybersecurity Readiness:

Georgia, and Visiting Professor at Duke University's Pratt

Cybersecurity Readiness:

School of Engineering.

Dr. Dave Chatterjee:

Hello, everyone, I'm delighted to

Dr. Dave Chatterjee:

welcome you to another episode of the Cybersecurity Readiness

Dr. Dave Chatterjee:

Podcast Series. Today, our guest is Mr. Stoddard Manikin, Chief

Dr. Dave Chatterjee:

Information Security Officer, Children's Healthcare of

Dr. Dave Chatterjee:

Atlanta, with over 18 years of progressive experience in

Dr. Dave Chatterjee:

information technology, security, and privacy. Stoddard

Dr. Dave Chatterjee:

specializes in advising complex organizations on security

Dr. Dave Chatterjee:

topics, including regulatory compliance, integrating

Dr. Dave Chatterjee:

information security with enterprise risk management, and

Dr. Dave Chatterjee:

identity and access management. So we are truly privileged to

Dr. Dave Chatterjee:

have a subject matter expert with us. Stoddard, welcome!

Dr. Dave Chatterjee:

Thanks for making time for this podcast.

Stoddard Manikin:

Thank you, Dave. It's great to be here.

Dr. Dave Chatterjee:

So given the amount of time you've spent

Dr. Dave Chatterjee:

as a cybersecurity professional, I'm sure you've seen a lot over

Dr. Dave Chatterjee:

the last 25 years in the cybersecurity space. How would

Dr. Dave Chatterjee:

you capture the evolution of this phenomenon and what has

Dr. Dave Chatterjee:

stayed with you by way of lessons learned?

Stoddard Manikin:

I think that cybersecurity has evolved

Stoddard Manikin:

dramatically, since I've been involved in the 1990s. And and

Stoddard Manikin:

that's true of so many aspects of, you know, modern life. But

Stoddard Manikin:

in particular, we didn't used to call it cybersecurity, either.

Stoddard Manikin:

We used to call it you know, information security or even

Stoddard Manikin:

data security. So, the name itself has changed over time to

Stoddard Manikin:

reflect what, what the world thinks of it. But I think that,

Stoddard Manikin:

most importantly, it's, it's captured the imagination, much

Stoddard Manikin:

more. So it's kind of follow that hype train, if you will,

Stoddard Manikin:

that popular culture typically does where something is

Stoddard Manikin:

marginally understood by the masses. And then some tiny

Stoddard Manikin:

aspect of it is used to appeal to the masses. Like if you look

Stoddard Manikin:

back many years ago, when they were hacker movies coming out of

Stoddard Manikin:

Hollywood, and everything was just super oversimplified and

Stoddard Manikin:

glorified. And it made everybody fear that these hackers were

Stoddard Manikin:

everywhere. And they could get in and steal all your

Stoddard Manikin:

information by guessing a couple of passwords, right. So now I

Stoddard Manikin:

think we've gotten to a point where most people realize

Stoddard Manikin:

there's not just somebody hiding in a basement somewhere with a

Stoddard Manikin:

dial up modem cracking into all these different organizations. I

Stoddard Manikin:

mean, now we're talking about organized crime, state sponsored

Stoddard Manikin:

actors, you know, script kiddies, renting ransomware as a

Stoddard Manikin:

service and using it to make money. And it is truly a college

Stoddard Manikin:

cottage industry, where at this point, a lot of these

Stoddard Manikin:

ransomware-as-a-service will not only provide the software, but

Stoddard Manikin:

also they include English speaking help desks to help

Stoddard Manikin:

their payers figure out how to buy bitcoin and pay the ransom.

Stoddard Manikin:

So it's a tremendous evolution in terms of the threat

Stoddard Manikin:

landscape. And it's also remarkable evolution from the

Stoddard Manikin:

perspective of practitioners like ourselves. So the

Stoddard Manikin:

specialization is significant. Whereas 20 years ago, you might

Stoddard Manikin:

have one security person or maybe just a network person who

Stoddard Manikin:

dabbled in security, and they had to learn how to do it all.

Stoddard Manikin:

And the expectation for management was that one person

Stoddard Manikin:

could do it all. And and now you have specialization of positions

Stoddard Manikin:

in cybersecurity much like you do in the medical field, where

Stoddard Manikin:

you wouldn't want to hire, say, a surgeon to look at common

Stoddard Manikin:

colds. Right? What is the point of that? Nor would you want a

Stoddard Manikin:

general practitioner doing surgery? Well, it's a lot like

Stoddard Manikin:

that in cybersecurity, there are certain positions where you are

Stoddard Manikin:

trained to do certain things, and you are not necessarily an

Stoddard Manikin:

expert to do others. And so that specialization has become very

Stoddard Manikin:

traumatic in the industry. And unfortunately, we still have a

Stoddard Manikin:

ways to go in convincing non-practitioners of this

Stoddard Manikin:

specialization importance because we still see job

Stoddard Manikin:

postings out there looking for a security professional and

Stoddard Manikin:

they're expected to do the work of eight different people. So I

Stoddard Manikin:

think that's that's kind of the next step of the evolution. It's

Stoddard Manikin:

that recognition of the variety of specializations in

Stoddard Manikin:

cybersecurity, and that no one person can do them all.

Dr. Dave Chatterjee:

You captured the the landscape very,

Dr. Dave Chatterjee:

very well. I couldn't agree with you more. Talking about

Dr. Dave Chatterjee:

specialization, getting the right people for the right kinds

Dr. Dave Chatterjee:

of roles in cybersecurity is very critical. And there are

Dr. Dave Chatterjee:

challenges there. But, at the same time, you also need the

Dr. Dave Chatterjee:

non-cybersecurity professionals, the members of the organization

Dr. Dave Chatterjee:

to also do their part. Don't you agree?

Stoddard Manikin:

Absolutely. Cybersecurity is everyone's

Stoddard Manikin:

responsibility within an organization. It's to the point

Stoddard Manikin:

where in my opinion, certainly every IT job description, should

Stoddard Manikin:

have some type of security requirements written into it.

Stoddard Manikin:

Because I think we're past the days where you have a few people

Stoddard Manikin:

in a room providing all the security to the organization,

Stoddard Manikin:

and it's just up to them to take care of it. It's now a central

Stoddard Manikin:

team coordinating cybersecurity for an organization, but

Stoddard Manikin:

directing a lot of different players. And when it comes down

Stoddard Manikin:

to it, people are the easiest way to breach an organization's

Stoddard Manikin:

security defenses. So it's incumbent on every organization

Stoddard Manikin:

to train all of their users that have access to IT resources, and

Stoddard Manikin:

equip them with the knowledge and awareness they need, so that

Stoddard Manikin:

they can be prepared, should someone target them with some

Stoddard Manikin:

kind of attack or attempted attack.

Dr. Dave Chatterjee:

Yeah, the human element in cybersecurity

Dr. Dave Chatterjee:

is so significant, I like the way you framed it. I couldn't

Dr. Dave Chatterjee:

emphasize more what you just said, everyone has a role to

Dr. Dave Chatterjee:

play, and they must be trained accordingly. You know, I've been

Dr. Dave Chatterjee:

doing research in this area, I've authored a book I consult

Dr. Dave Chatterjee:

as well. One of the things that I see across the spectrum, is a

Dr. Dave Chatterjee:

varied approach to cybersecurity awareness and training. In some

Dr. Dave Chatterjee:

organizations, it's about checking the box and doing the

Dr. Dave Chatterjee:

required training once or twice in the year. It's kind of broad

Dr. Dave Chatterjee:

based, a hit or miss approach. And then there are other

Dr. Dave Chatterjee:

organizations where they have a more role focused training. In

Dr. Dave Chatterjee:

your experience, what have you seen? Or what are you seeing?

Dr. Dave Chatterjee:

And what are your recommendations when it comes to

Dr. Dave Chatterjee:

cybersecurity awareness and training?

Stoddard Manikin:

It's a great question, because it's so

Stoddard Manikin:

relevant. And I think that what you were describing where an

Stoddard Manikin:

organization might provide, perhaps an onboarding training,

Stoddard Manikin:

when they first start to say, Hey, don't give your password

Stoddard Manikin:

anyone and here's how you enroll and password reset and, and

Stoddard Manikin:

watch out for phishing attempts. That's, like maturity level 1.0

Stoddard Manikin:

And table stakes. Right? You have to do that on their first

Stoddard Manikin:

day, of course. But from there, it requires consistent

Stoddard Manikin:

reinforcement of the topic, and reminders for people because

Stoddard Manikin:

human beings typically can't retain information forever after

Stoddard Manikin:

hearing it once. And so what I find to be most effective is to

Stoddard Manikin:

start off with that kind of onboarding training, that

Stoddard Manikin:

background stuff, the context. And then what that does is it

Stoddard Manikin:

plants triggers, so that when the users hear future trainings,

Stoddard Manikin:

it reminds them Oh, yeah, that is important. And I remember why

Stoddard Manikin:

and I heard this before somewhere, but I can't quite

Stoddard Manikin:

make it out. And so over time, you build up that retention and

Stoddard Manikin:

awareness. And I think that minimum once a year type of

Stoddard Manikin:

training is what a lot of organizations do. And frankly,

Stoddard Manikin:

it's it's not enough depending on someone's job function and

Stoddard Manikin:

responsibility. So may be you do that for the majority of your

Stoddard Manikin:

workforce that rarely has to worry about security issues. But

Stoddard Manikin:

if you've got people processing an invoice and payroll, then

Stoddard Manikin:

they are specifically going to be targeted with business email

Stoddard Manikin:

compromise attempts constantly. And if you only train them once

Stoddard Manikin:

a year, you can't expect them to successfully repelled those

Stoddard Manikin:

tacks that have been honed and improved upon through 1000s of

Stoddard Manikin:

attempts around the world on a daily basis. So I find that

Stoddard Manikin:

providing them specialized training, giving them a forum to

Stoddard Manikin:

ask questions, testing them on it, perhaps even monthly with a

Stoddard Manikin:

simulation exercise is how you get the best behavioral

Stoddard Manikin:

response. The other part of that training is it can't just be one

Stoddard Manikin:

way when you're giving them the info, the next step is to test

Stoddard Manikin:

them on it. And then the step after that is to measure them on

Stoddard Manikin:

it. So for example, if you do a quarterly or a monthly phishing

Stoddard Manikin:

test, capture the results of that test, did people click on

Stoddard Manikin:

the link or enter their credentials? Did they open the

Stoddard Manikin:

attachment? Did they do nothing? Did they report the message

Stoddard Manikin:

proactively, which is the best behavior, and then report on

Stoddard Manikin:

those percentages by department by division by type of user to

Stoddard Manikin:

the leadership chain, and the data will help you figure out

Stoddard Manikin:

where your education is working, and where it needs to be

Stoddard Manikin:

improved.

Dr. Dave Chatterjee:

Fantastic means being able to measure the

Dr. Dave Chatterjee:

effectiveness of training is so critical. And I don't hear folks

Dr. Dave Chatterjee:

in your position emphasize this enough. In fact, the first time

Dr. Dave Chatterjee:

I'm hearing a CISO so emphatically, specifying the

Dr. Dave Chatterjee:

importance of measurement. Because, there's no point giving

Dr. Dave Chatterjee:

people training, if you're not being able to see the progress,

Dr. Dave Chatterjee:

or if you don't see the progress, what else can be done.

Dr. Dave Chatterjee:

In other words, you know, taking a very substantive approach, as

Dr. Dave Chatterjee:

opposed to check-the-box approach where you really want

Dr. Dave Chatterjee:

to see this, whatever training is being is being given is

Dr. Dave Chatterjee:

having an impact. Talking about measurement Stoddard, if we can

Dr. Dave Chatterjee:

go a little broader, as the CISO of your organization, and you

Dr. Dave Chatterjee:

don't have to be specific to your organization, you can be

Dr. Dave Chatterjee:

very generic. What are some metrics or KPIs that are being

Dr. Dave Chatterjee:

tracked or should be tracked?

Stoddard Manikin:

This is a very challenging one to answer.

Stoddard Manikin:

Because the, the audience that you're preparing the metrics

Stoddard Manikin:

for, has very different levels of understanding of them. So you

Stoddard Manikin:

know, if you think back to the old days, when you had a, a

Stoddard Manikin:

CISO, who was more of like a network security person or an IT

Stoddard Manikin:

security person, they would try out the metrics of, you know,

Stoddard Manikin:

the number of intrusion attempts and the number of things that

Stoddard Manikin:

got blocked at the firewall, and all very kind of technical,

Stoddard Manikin:

objective data that wasn't necessarily meaningful to the

Stoddard Manikin:

audience. I think there's a place for some of that data, to

Stoddard Manikin:

remain in your kind of dashboard reporting type of things,

Stoddard Manikin:

particularly for your executive team and your board. But I think

Stoddard Manikin:

you've also got to have some other really common sense

Stoddard Manikin:

measures in there. Things that are more related to the

Stoddard Manikin:

organization itself. Like, for example, if you have a strategic

Stoddard Manikin:

goal, to reach a certain level of maturity on a given maturity

Stoddard Manikin:

framework, then you might want to report on what your most

Stoddard Manikin:

recent third party assessment gave you as the maturity

Stoddard Manikin:

ranking. And whether that's up or down, and the areas where you

Stoddard Manikin:

improve the areas where you're still lagging, and so forth. You

Stoddard Manikin:

might also want include something along the lines of the

Stoddard Manikin:

number of IT audit findings that happened from an external audit,

Stoddard Manikin:

because I think that's important to to watch for trends. And then

Stoddard Manikin:

you can dive into the details either in the comment section or

Stoddard Manikin:

in follow up q&a, where you say, here's where the audit findings

Stoddard Manikin:

are, is it a same place as the last three years? And we're not

Stoddard Manikin:

fixing it? Or is a brand new place? Or is it a brand new

Stoddard Manikin:

field, like related to cloud security that's just so new that

Stoddard Manikin:

you don't have a handle on it yet. And I think that that way,

Stoddard Manikin:

your metrics can drive the conversation of where you need

Stoddard Manikin:

to focus and prioritize investment.

Dr. Dave Chatterjee:

Absolutely. In fact, you touched upon three

Dr. Dave Chatterjee:

things about performance measures. First is taking a

Dr. Dave Chatterjee:

holistic approach. In fact, when I look at my research, my book,

Dr. Dave Chatterjee:

I come at it from the standpoint of business value impact

Dr. Dave Chatterjee:

measures, productivity measures, extent of preparedness measures,

Dr. Dave Chatterjee:

audit and compliance measures. And there can be more. The

Dr. Dave Chatterjee:

second, the second thing that you talked about is equally

Dr. Dave Chatterjee:

important, what's the point of measuring, if we are not gonna

Dr. Dave Chatterjee:

review the results and act on them? So what mechanisms are in

Dr. Dave Chatterjee:

place to effectively and promptly review the findings and

Dr. Dave Chatterjee:

take action? And the third is, who is interested in these

Dr. Dave Chatterjee:

measures? And how important are these measures to them, as you

Dr. Dave Chatterjee:

know, in organizations, there can be a multitude of metrics,

Dr. Dave Chatterjee:

and often what gets measured is what is convenient to measure,

Dr. Dave Chatterjee:

not what needs to be measured. And I'm sure cybersecurity is

Dr. Dave Chatterjee:

not an exception to that situation. But, but yeah, the

Dr. Dave Chatterjee:

points are very, very well made. Moving along from the standpoint

Dr. Dave Chatterjee:

of CISO empowerment, essentially, the question is,

Dr. Dave Chatterjee:

what does it take to make a CISO, and when I say CISO, I

Dr. Dave Chatterjee:

mean the CISO function as a whole, effective?

Stoddard Manikin:

Well, that's an interesting one, too, because

Stoddard Manikin:

the role has changed over time, including its position in the

Stoddard Manikin:

organization and the reporting structure. And there is no one

Stoddard Manikin:

answer to this either. A lot of it depends on the organization

Stoddard Manikin:

and who's in the roles at that organization. I think that

Stoddard Manikin:

historically, a lot of CISOs came from, you know, one of two

Stoddard Manikin:

places, they came either from military and law enforcement, or

Stoddard Manikin:

they came from a network security type of background. And

Stoddard Manikin:

both of those types of backgrounds prepare you well.

Stoddard Manikin:

But unless you're able to expand your your perspective, and

Stoddard Manikin:

embrace a lot of other areas of the organization, you can't

Stoddard Manikin:

succeed as a modern CISO. I certainly need the fundamental

Stoddard Manikin:

technical background, to understand what people are

Stoddard Manikin:

telling me and what the implications are, I need to

Stoddard Manikin:

understand how law enforcement works, and when do I engage with

Stoddard Manikin:

them and how to do so effectively. But I also have to

Stoddard Manikin:

understand regulatory compliance, I have to understand

Stoddard Manikin:

audit, I have to understand finance, because when I'm trying

Stoddard Manikin:

to get a security product in house and implement it, I have

Stoddard Manikin:

to know how to budget for it, whether it makes more sense for

Stoddard Manikin:

us to capitalize it or subscribe to it and pay it out of opex, I

Stoddard Manikin:

have to know whether the training should be included or

Stoddard Manikin:

not depending on how we want to pay for things, and what the

Stoddard Manikin:

useful lifespan is going to be. So I've got to understand those

Stoddard Manikin:

financial implications. I also need to understand insurance,

Stoddard Manikin:

because cybersecurity insurance is a critical aspect of this.

Stoddard Manikin:

And then there's other areas as well, that you've got to have a

Stoddard Manikin:

broad understanding of. But first and foremost, the most

Stoddard Manikin:

fundamental thing you've got to know as the CISO is the business

Stoddard Manikin:

of the organization that you're in. Because if you don't

Stoddard Manikin:

understand how the business operates, what it does, how it

Stoddard Manikin:

earns money, how it spends money, where it really makes its

Stoddard Manikin:

profit, that funds other areas that have losses, then it's very

Stoddard Manikin:

hard for you to understand how to prioritize what security

Stoddard Manikin:

controls need to be put in place, and and also how

Stoddard Manikin:

restrictive you can be without cutting off the lifeblood of the

Stoddard Manikin:

organization.

Dr. Dave Chatterjee:

Security versus convenience, security

Dr. Dave Chatterjee:

versus mission of the organization, you have to find

Dr. Dave Chatterjee:

that balance. Very well said, Very well said. So I'd like to

Dr. Dave Chatterjee:

follow up on a couple of things you mentioned. You talked about

Dr. Dave Chatterjee:

law enforcement and regulatory compliance. And that brings to

Dr. Dave Chatterjee:

mind the role that the legal function plays. And if you think

Dr. Dave Chatterjee:

about it, when organizations are in trouble, many a times that

Dr. Dave Chatterjee:

leads to a lawsuit, they have to defend, you know, all that they

Dr. Dave Chatterjee:

have done to protect the organization, and so on and so

Dr. Dave Chatterjee:

forth. So doesn't it make sense to involve legal every step of

Dr. Dave Chatterjee:

the way? And is that too much to expect? Because when I pose this

Dr. Dave Chatterjee:

question to people in other organizations in your role, I

Dr. Dave Chatterjee:

get very different responses. And sometimes the responses are

Dr. Dave Chatterjee:

not very clear. So I want to know, from a practical

Dr. Dave Chatterjee:

standpoint, how feasible is is it to involve legal or to work

Dr. Dave Chatterjee:

with legal closely.

Stoddard Manikin:

I think it's not only feasible, but it's a

Stoddard Manikin:

requirement for survival of a sea. So I've always had

Stoddard Manikin:

excellent relationships with the legal officers of different

Stoddard Manikin:

organizations that I've worked with. And I think that it all

Stoddard Manikin:

comes down to the relationship that cybersecurity has with

Stoddard Manikin:

legal as far as how straightforward it is to engage.

Stoddard Manikin:

Now, I would not propose bringing everything to legal

Stoddard Manikin:

that happens, because so many things that that start out as an

Stoddard Manikin:

investigation turned into nothing, it turns into sure this

Stoddard Manikin:

looks really bad. It looks like someone just hacked us from

Stoddard Manikin:

Puerto Rico. And we don't have any operations there. But then

Stoddard Manikin:

you dig into the the details and the logs and you find okay, we

Stoddard Manikin:

actually had someone on vacation and they got a call and they

Stoddard Manikin:

were asked to login and do this. So you know, why would I alarm

Stoddard Manikin:

legal about that until I've done some due diligence around it?

Stoddard Manikin:

bring things to them that are real, or if they're significant

Stoddard Manikin:

enough that you don't know yet, but they need to be aware and

Stoddard Manikin:

involved early, then be clear with them that you don't know

Stoddard Manikin:

yet if this is real or not, but you're engaging them early so

Stoddard Manikin:

that if it becomes real, they'll have background and context and

Stoddard Manikin:

they are ramped up already.

Dr. Dave Chatterjee:

Very fair, very reasonable. But but it's

Dr. Dave Chatterjee:

also true that when you're formulating your cybersecurity

Dr. Dave Chatterjee:

strategy or let's say you're doing an annual review, that you

Dr. Dave Chatterjee:

get legal involved to provide y'all with a checklist or a

Dr. Dave Chatterjee:

guideline or the do's and don'ts just to make sure that you're

Dr. Dave Chatterjee:

always staying on the right side of the law. Is that is that a

Dr. Dave Chatterjee:

common practice common procedure? Or do you accomplish

Dr. Dave Chatterjee:

it in some other way?

Stoddard Manikin:

You know, I think it depends. Because

Stoddard Manikin:

really, what I'm interpreting, as you say, legal in that

Stoddard Manikin:

context is it's really about regulatory compliance, or even

Stoddard Manikin:

contractual obligations, right, because those are two different

Stoddard Manikin:

things that you have to think about as a CISO. And from a

Stoddard Manikin:

regulatory compliance perspective, you've got to think

Stoddard Manikin:

about the international implications, the national here

Stoddard Manikin:

in the US, we think about state and local, and then beyond the

Stoddard Manikin:

governmental regulations, if you do business in other countries,

Stoddard Manikin:

you might have GDPR if you're in Europe, and there's just it

Stoddard Manikin:

really gets complex quickly. States have individual privacy

Stoddard Manikin:

laws that you need to be aware of. And that's getting more and

Stoddard Manikin:

more complex. And then on top of that, you've got commitments to

Stoddard Manikin:

other partners that you have contracts with in terms of how

Stoddard Manikin:

quickly you need to notify them if you have some type of breach.

Stoddard Manikin:

And you even have industry regulations. So for example, in

Stoddard Manikin:

the credit card industry, there's PCI DSS, the Payment

Stoddard Manikin:

Card Industry Data Security Standard, that is not a

Stoddard Manikin:

government regulation, that is essentially a voluntary industry

Stoddard Manikin:

requirement, that if you want to accept and process credit cards,

Stoddard Manikin:

you must follow. But it's created by a consortium of

Stoddard Manikin:

credit card companies. And so that's just kind of another

Stoddard Manikin:

dimension there. And that's why I say when you say legal, it

Stoddard Manikin:

sounds to me like it's compliance. And in reality,

Stoddard Manikin:

that's not all coming from just one department, be it legal or

Stoddard Manikin:

compliance that's coming from four different departments, it's

Stoddard Manikin:

going to come from legal and the contracts aspect, and they'll

Stoddard Manikin:

have to handle typically the the government regulation. In terms

Stoddard Manikin:

of the industry regulation for PCI, that's going to be the

Stoddard Manikin:

finance division, it gets very complicated. And that's where I

Stoddard Manikin:

was saying earlier, it's really important for the CISO to have

Stoddard Manikin:

broad relationships everywhere. And and even if they come from a

Stoddard Manikin:

narrow background, to have very broad horizons in their

Stoddard Manikin:

thinking.

Dr. Dave Chatterjee:

Yep, that is that is very necessery for

Dr. Dave Chatterjee:

the kind of role of a CISO plays, which is highly

Dr. Dave Chatterjee:

interdisciplinary. And you and you talked about different types

Dr. Dave Chatterjee:

of regulatory requirements. Some are requirements. Some are

Dr. Dave Chatterjee:

industry regulations, industry expectations. So how do you stay

Dr. Dave Chatterjee:

on top of all this? Do you have a team that provides that

Dr. Dave Chatterjee:

guidance? Or is one particular person assigned to make sure

Dr. Dave Chatterjee:

that you're on top of all the different expectations from a

Dr. Dave Chatterjee:

compliance and other legal standpoint?

Stoddard Manikin:

Well, certainly, we're going to focus

Stoddard Manikin:

on the ones that are most relevant to us, above others.

Stoddard Manikin:

And for example, that would include the HIPAA security rule

Stoddard Manikin:

and the HIPAA Privacy Rule, the High Tech Act for health care,

Stoddard Manikin:

things like that. But But ultimately, what I have found to

Stoddard Manikin:

be effective is to find a framework, a security framework

Stoddard Manikin:

that incorporates multiple regulations and requirements, so

Stoddard Manikin:

that you can focus on meeting the framework design and measure

Stoddard Manikin:

yourself against that. And by doing so, you're going to cover

Stoddard Manikin:

the majority of your bases related to regulatory

Stoddard Manikin:

requirements. So for example, in healthcare, there's the high

Stoddard Manikin:

trust framework that you could adopt. And and I think a lot of

Stoddard Manikin:

organizations in the US in particular are using the NIST

Stoddard Manikin:

CSF the Cybersecurity Framework, these frameworks incorporate

Stoddard Manikin:

multiple regulatory requirements, some of them go

Stoddard Manikin:

above and beyond it. So you actually have to kind of be

Stoddard Manikin:

careful that you don't turn the wrench too tight on your

Stoddard Manikin:

organization. But it's a matter of picking that framework,

Stoddard Manikin:

laying it out, mapping what you do to the framework, figure out

Stoddard Manikin:

where you're doing well, where you need to improve and then

Stoddard Manikin:

measuring yourself on that.

Dr. Dave Chatterjee:

Okay, okay. Good to know, talking about the

Dr. Dave Chatterjee:

US healthcare industry, or you can, you know, go even further

Dr. Dave Chatterjee:

and talk about the global healthcare industry. There are a

Dr. Dave Chatterjee:

lot of reports out there that talk about how the landscape or

Dr. Dave Chatterjee:

the the areas of vulnerability are expanding because of the use

Dr. Dave Chatterjee:

of IoT devices, because of the complexity of these

Dr. Dave Chatterjee:

organizations. It's very hard to keep track of where the weak

Dr. Dave Chatterjee:

points are. In one particular report, they say there is enough

Dr. Dave Chatterjee:

evidence to suggest that US healthcare organizations lack a

Dr. Dave Chatterjee:

deliberate, organized, and comprehensive cyber resilience

Dr. Dave Chatterjee:

strategy. So with this kind of statements being made, I just

Dr. Dave Chatterjee:

wanted to get your sense of what is the state of cybersecurity

Dr. Dave Chatterjee:

readiness in the US in the US healthcare industry.

Stoddard Manikin:

So I believe that it's far better than it was

Stoddard Manikin:

in the past. But there's, of course still room for

Stoddard Manikin:

improvement. When you talk about healthcare as an industry, it is

Stoddard Manikin:

a massive ecosystem. There are providers, including large

Stoddard Manikin:

healthcare systems with multi hospitals and clinics that are

Stoddard Manikin:

standalone independent hospitals, there are physician

Stoddard Manikin:

practices, there are medical device manufacturers, there's

Stoddard Manikin:

even the insurance industry around healthcare. It is

Stoddard Manikin:

enormous, and it makes up a significant part of the United

Stoddard Manikin:

States GDP every year. So what we're talking about is just

Stoddard Manikin:

massive, and such different levels of sophistication. But

Stoddard Manikin:

when it comes down to it, Dave, cybersecurity is patient safety.

Stoddard Manikin:

Patient safety is cybersecurity. Now, historically, cybersecurity

Stoddard Manikin:

in healthcare was all about confidentiality, because you

Stoddard Manikin:

were concerned about having a breach of patient data,

Stoddard Manikin:

electronic protected health information, or ePHI, would be a

Stoddard Manikin:

HIPAA breach. And then, if affected more than 500 records,

Stoddard Manikin:

then you got on the HHS Wall of Shame website, where it was

Stoddard Manikin:

publicly known. You know what, it's not only about

Stoddard Manikin:

confidentiality, and I'm glad that it's not, it's much more

Stoddard Manikin:

about integrity, and most importantly, availability now,

Stoddard Manikin:

because now we recognize that, especially with ransomware,

Stoddard Manikin:

attacks, and similar types of things, systems become

Stoddard Manikin:

unavailable. And healthcare delivery, meaning providers,

Stoddard Manikin:

people touching patients, and taking care of them rely on

Stoddard Manikin:

electronic computer aided workflows. And if the systems

Stoddard Manikin:

are down, because some patch broke something or there's a

Stoddard Manikin:

ransomware attack, then you can't easily know a patient's

Stoddard Manikin:

blood type. You can't look at their medical records to know

Stoddard Manikin:

what history they have, what allergies they have, you can't

Stoddard Manikin:

get lab results back to know how to treat a patient. And

Stoddard Manikin:

sometimes that could result in a life threatening or life

Stoddard Manikin:

altering delay. So a patient can recover from a data breach, but

Stoddard Manikin:

they might not be able to fully recover from lack of care. So

Stoddard Manikin:

that's where I really want to emphasize that cybersecurity is

Stoddard Manikin:

patient safety. And we all have to take it seriously, regardless

Stoddard Manikin:

of where we are in that healthcare ecosystem. Now, to be

Stoddard Manikin:

fair, there is a significant disparity in healthcare systems

Stoddard Manikin:

based on size and resources and how prepared people are for

Stoddard Manikin:

cybersecurity impact, right. So those large multi hospital

Stoddard Manikin:

systems typically have more resources, and ability to deal

Stoddard Manikin:

with those kinds of things. Smaller community hospitals or

Stoddard Manikin:

systems might have less resources. Physician practices,

Stoddard Manikin:

if it's an independent practice, we've seen them close after one

Stoddard Manikin:

ransomware attack, because the physicians that work there said

Stoddard Manikin:

it's just not worth trying to recover. Because all our patient

Stoddard Manikin:

records are in that system, I'm going to retire. So there's

Stoddard Manikin:

really a significant impact if you're not ready to handle these

Stoddard Manikin:

kinds of things. And everybody's a little bit different. So I

Stoddard Manikin:

think one of the things we've got to move towards, and we've

Stoddard Manikin:

started to do so is to level the playing field in terms of

Stoddard Manikin:

ability to protect yourself against cybersecurity attacks.

Stoddard Manikin:

And that's where things like industry consortiums and

Stoddard Manikin:

government resources, help you do what you need to do, even if

Stoddard Manikin:

you don't have the same resources as someone who's

Stoddard Manikin:

bigger.

Dr. Dave Chatterjee:

Okay, that's good to know. And in

Dr. Dave Chatterjee:

terms of, you know, threat analysis, where you're kind of

Dr. Dave Chatterjee:

testing the recovery capability of your organization, how, how

Dr. Dave Chatterjee:

committed is the organization in doing these kinds of disaster

Dr. Dave Chatterjee:

recovery, business continuity planning. If you could, if you

Dr. Dave Chatterjee:

could expand on these approaches, strategies, let's

Stoddard Manikin:

Yeah, I think that testing your strategies and

Stoddard Manikin:

say?

Stoddard Manikin:

procedures is absolutely crucial so that you're ready to execute

Stoddard Manikin:

on them during an emergency. It's very similar to sports

Stoddard Manikin:

where if you have a team that just shows up once a week to

Stoddard Manikin:

play games, they are probably going to really struggle to do

Stoddard Manikin:

anything intricate on the field. You've got to practice all week

Stoddard Manikin:

long to get ready for that game. So when it comes to business

Stoddard Manikin:

continuity, disaster recovery, responding to a phishing attempt

Stoddard Manikin:

responding to a ransomware attack, any any of those major

Stoddard Manikin:

types of incidents that you are writing an incident response

Stoddard Manikin:

plan for, you should be testing that at some frequency. You

Stoddard Manikin:

could do a tabletop exercise twice a year and bring all the

Stoddard Manikin:

different people together that would be involved in a

Stoddard Manikin:

ransomware attack. You can you can do red teaming where you

Stoddard Manikin:

have offensively minded people on your team, try to break

Stoddard Manikin:

something or hack into a system, and then tell you what's wrong

Stoddard Manikin:

and what needs to be fixed. That's actually evolving from

Stoddard Manikin:

the old Red Team Blue Team, mild Blue team, or the defenders into

Stoddard Manikin:

a purple teaming approach, where the red team and blue team are

Stoddard Manikin:

in the same room working together. And the red team will

Stoddard Manikin:

say, here's how I would attack it, the blue team says here's

Stoddard Manikin:

how I would defend against it. And then they both go at it

Stoddard Manikin:

together as a kind of a blended purple team. And that actually

Stoddard Manikin:

has even better results than the older model. So there's so many

Stoddard Manikin:

different ways that you should be testing these things. But I

Stoddard Manikin:

agree with you, it's absolutely essential to do frequent tests

Stoddard Manikin:

of the most likely and largest impacting types of incidents,

Dr. Dave Chatterjee:

You know, you mentioned about audits. And

Dr. Dave Chatterjee:

that brought back memories; I used to be an auditor in my

Dr. Dave Chatterjee:

first career. We always do audit, it's like after the fact,

Dr. Dave Chatterjee:

and I have been a huge proponent of real-time audit, whether it's

Dr. Dave Chatterjee:

financial, whether it's security, because you want to

Dr. Dave Chatterjee:

know what the vulnerabilities are, what the weaknesses are, so

Dr. Dave Chatterjee:

you get an opportunity to fix it before it's too late. And

Dr. Dave Chatterjee:

there's no point reviewing historical facts, because you

Dr. Dave Chatterjee:

didn't get a chance to fix it. It's past now. What are your

Dr. Dave Chatterjee:

thoughts from the practicality of conducting real-time security

Dr. Dave Chatterjee:

audits?

Stoddard Manikin:

I think that it's becoming more and more

Stoddard Manikin:

commonplace. And like you said, it's better to be proactive.

Stoddard Manikin:

Now, I do think if you've had an incident, you should do a very

Stoddard Manikin:

thorough review root cause analysis and understand what

Stoddard Manikin:

happens so that you can make changes and it can't happen

Stoddard Manikin:

again. And at the same time, I think that there is a concept

Stoddard Manikin:

that's been around for decades in audit, called continuous

Stoddard Manikin:

controls monitoring, right? And so when we, as security

Stoddard Manikin:

professionals put a control in place, you think it's there, you

Stoddard Manikin:

think it's configured correctly, it's still operating

Stoddard Manikin:

effectively. But how often are you testing it to make sure and

Stoddard Manikin:

and so often, you put it in place, and you move on to the

Stoddard Manikin:

next thing without necessarily having a good operational plan

Stoddard Manikin:

to monitor it. So what I see becoming much more relevant

Stoddard Manikin:

lately, is this concept of CCM, the continuous controls

Stoddard Manikin:

monitoring, where you identify some key controls where if they

Stoddard Manikin:

were to fail, the impact could be significant, right? So high

Stoddard Manikin:

risk. And then from there, you figure out how are we going to

Stoddard Manikin:

monitor this are we going to set up some kind of alert to tell us

Stoddard Manikin:

if it fails, and it sends us an email? Are we going to

Stoddard Manikin:

physically test it ourselves every once a week, every day,

Stoddard Manikin:

every hour, we got to automate that and then only email us if

Stoddard Manikin:

it fails. That type of approach helps you identify weaknesses

Stoddard Manikin:

and vulnerabilities before someone else finds them and

Stoddard Manikin:

exploits them. And that's certainly one of my focus areas,

Stoddard Manikin:

is to identify what those key controls are, come up with the

Stoddard Manikin:

monitoring plan based on potential risk. And then make

Stoddard Manikin:

sure that we're proactively looking at them ourselves,

Stoddard Manikin:

before someone else finds them.

Dr. Dave Chatterjee:

Couldn't agree with you more, you got to

Dr. Dave Chatterjee:

be proactive. You've got to continuously monitor. You know

Dr. Dave Chatterjee:

Stoddard, as you are aware, based on the media reports, many

Dr. Dave Chatterjee:

of the breaches that have happened, large breaches, major

Dr. Dave Chatterjee:

breaches, the story goes that the organization was made aware,

Dr. Dave Chatterjee:

or a particular individual was made aware, who did nothing

Dr. Dave Chatterjee:

about it. Based on your experience in the field, how or

Dr. Dave Chatterjee:

why does that happen? It's almost borderline negligence.

Dr. Dave Chatterjee:

And that's what the courts have found time and again, in several

Dr. Dave Chatterjee:

cases, they have found organizations to be guilty of

Dr. Dave Chatterjee:

negligence. Can you speak to that?

Stoddard Manikin:

I sure can. And I also want to be very

Stoddard Manikin:

cautious because you can't always put yourself in someone

Stoddard Manikin:

else's shoes, especially after something has happened. Right?

Stoddard Manikin:

It's very easy to look back and say how did you not see this

Stoddard Manikin:

going on guys. But I also know that historically, there has

Stoddard Manikin:

been a certain amount of scapegoating that has occurred

Stoddard Manikin:

with CISOs, where they were not necessarily given the authority

Stoddard Manikin:

or the resources to fix problems. They've made

Stoddard Manikin:

management aware of them and management accepted the risk.

Stoddard Manikin:

And only when it became a public relations issue that the

Stoddard Manikin:

organization decide that oh, yeah, what we should have done

Stoddard Manikin:

something. Right. It's the traffic light mentality. You see

Stoddard Manikin:

car accidents happening at a corner, but until there's a

Stoddard Manikin:

really bad one that gets a lot of visibility, they don't pay

Stoddard Manikin:

the money for a new traffic light because it's incredibly

Stoddard Manikin:

expensive to put that in there and then maintain it. So you

Stoddard Manikin:

know, again, I I want to be cautious about that concept of

Stoddard Manikin:

negligence because it's really easy to throw that word around.

Stoddard Manikin:

And that's primarily a legal term that results in higher

Stoddard Manikin:

damages, particularly for publicly traded companies with

Stoddard Manikin:

shareholder lawsuits. What I can tell you from my experience, is

Stoddard Manikin:

that the amount and volume of alerts that come from a good

Stoddard Manikin:

mature security system of anywhere from 25 or more

Stoddard Manikin:

security tools, is enormous. And no matter how big your team is,

Stoddard Manikin:

it is a physical impossibility, to look at every one of those

Stoddard Manikin:

alerts and determine if it's real or not. So yeah, we need

Stoddard Manikin:

more automation, we need to use more machine learning and AI to

Stoddard Manikin:

handle that avalanche of data. But the reality is, is you get

Stoddard Manikin:

so many of these types of warnings, that you've got to use

Stoddard Manikin:

your judgment, and your artistic skills and your logic to figure

Stoddard Manikin:

out which ones are the most likely to be going on, and which

Stoddard Manikin:

ones need to track down in the limited amount of time and

Stoddard Manikin:

resources you have to deal with it.

Dr. Dave Chatterjee:

You know, that is, you know, very

Dr. Dave Chatterjee:

enlightening to know, it's a hard, hard job, no doubt. You

Dr. Dave Chatterjee:

you touched upon something that brings to mind another topic

Dr. Dave Chatterjee:

that is very close to my heart. And that's the possibility of

Dr. Dave Chatterjee:

joint ownership and accountability. And you just

Dr. Dave Chatterjee:

said that the CISOs, or the security professionals, are made

Dr. Dave Chatterjee:

scapegoats of incidents, they often lose their jobs. But yet

Dr. Dave Chatterjee:

we say cybersecurity is everyone's business, everyone

Dr. Dave Chatterjee:

has a role to play. How feasible is it to have structures and

Dr. Dave Chatterjee:

mechanisms where there is some level of joint ownership and

Dr. Dave Chatterjee:

accountability both within the organization, as well as when

Dr. Dave Chatterjee:

you're partnering up with vendors, where the vendor

Dr. Dave Chatterjee:

organization also has a stake in ensuring your data is secure on

Dr. Dave Chatterjee:

their servers. Your thoughts?

Stoddard Manikin:

I think that I have been much more successful

Stoddard Manikin:

at doing that within the organization than I have with

Stoddard Manikin:

vendor partners. So you know, talk about them distinctly.

Stoddard Manikin:

Internally, there is some responsibility with the security

Stoddard Manikin:

executive via the CISO, or anyone else to build that kind

Stoddard Manikin:

of framework. And by that I mean, if a CISO operates

Stoddard Manikin:

independently and in the dark, and throws around a lot of

Stoddard Manikin:

technical terms and doesn't do a good job of explaining why then

Stoddard Manikin:

they're not going to kind of build that shared accountability

Stoddard Manikin:

concept with the other key leaders of the organization.

Stoddard Manikin:

Right? What's very important from my experience is to explain

Stoddard Manikin:

the why behind things, to do shared decision making about

Stoddard Manikin:

which areas need prioritization based on risk, which ones you're

Stoddard Manikin:

going to jointly agree to not do anything about, or maybe do a

Stoddard Manikin:

slower rollout, for different reasons, be it financial,

Stoddard Manikin:

operational, and so forth. And even get some guidance from key

Stoddard Manikin:

board members so that they understand the risks that you're

Stoddard Manikin:

accepting the risks that you're not willing to accept, and, and

Stoddard Manikin:

how much to invest. Because there is eventually a declining

Stoddard Manikin:

ROI on those things, right? You can never eliminate risk unless

Stoddard Manikin:

you just stopped doing business and turn off all your computers,

Stoddard Manikin:

that's probably not going to happen for most industries. So

Stoddard Manikin:

that's where I think that shared accountability it comes from it

Stoddard Manikin:

comes from shared decision making, shared prioritization,

Stoddard Manikin:

shared understanding of what we're willing to accept or not,

Stoddard Manikin:

what threshold of risk can we live with? And what do we want

Stoddard Manikin:

to remediate otherwise, that's internal. When it comes to your

Stoddard Manikin:

vendor partner, network, that is way more complicated. Same thing

Stoddard Manikin:

we talked about earlier, where healthcare has this disparity of

Stoddard Manikin:

capability and resources. vendor partners have the same thing,

Stoddard Manikin:

right, you've got the really large ones that are well

Stoddard Manikin:

resourced, and they'll, they'll hand you their procedure sheet

Stoddard Manikin:

and their third party audit reports of what they do for

Stoddard Manikin:

security. Then all the way at the other end of the spectrum,

Stoddard Manikin:

you've got what I consider to be small business websites that

Stoddard Manikin:

might run a specialized program for real estate or some other

Stoddard Manikin:

niche purpose. Where, you know, they say we were in a pen test

Stoddard Manikin:

once last year. But that's it. And meanwhile, you've got an

Stoddard Manikin:

area of your organization that's screaming, saying we have to use

Stoddard Manikin:

this as the only one that'll meet our requirements. And

Stoddard Manikin:

you're trying to tell them, Okay, but they're going to have

Stoddard Manikin:

the ability to log into our network. And third party

Stoddard Manikin:

breaches is one of the most common tactics to break into an

Stoddard Manikin:

organizatio now. If you look at some high profile breaches,

Stoddard Manikin:

you'll find that they came in through for example, an air

Stoddard Manikin:

conditioning contractor who responded to a phishing attempt,

Stoddard Manikin:

use their credentials to login and then they escalated from

Stoddard Manikin:

there. Well, I don't really want to bet my organization's

Stoddard Manikin:

security posture on the security capabilities of a 1000 or more

Stoddard Manikin:

independent, contracted vendor partners who may or may not have

Stoddard Manikin:

reasonable security practices. So it's up to me to make sure

Stoddard Manikin:

I'm working with everybody to get the right controls in place

Stoddard Manikin:

and give the minimum necessary access to these organizations,

Stoddard Manikin:

and make sure that people are aware of the risk before they

Stoddard Manikin:

engage in business with these types of companies.

Dr. Dave Chatterjee:

Fabulous, very, very insightful. Started.

Dr. Dave Chatterjee:

Thank you so much for your time today. Before we conclude any

Dr. Dave Chatterjee:

final thoughts for the audience?

Stoddard Manikin:

I would say that my journey has been very,

Stoddard Manikin:

very interesting in the cybersecurity industry, in

Stoddard Manikin:

particular for healthcare, it is a complex one, but also

Stoddard Manikin:

rewarding. It's one of those few industries in my opinion, where

Stoddard Manikin:

you can truly find purpose and meaning in the long hours and

Stoddard Manikin:

the resistance that you have to push through. And I am very

Stoddard Manikin:

grateful to be in the position I'm in where I can help protect

Stoddard Manikin:

patients and enable our caregivers to take care of kids.

Dr. Dave Chatterjee:

Well, thank you again, Stoller, for all that

Dr. Dave Chatterjee:

you do, appreciate your time on the podcast, and hopefully,

Dr. Dave Chatterjee:

we'll talk to you again in the future.

Stoddard Manikin:

My pleasure, thank you.

Dr. Dave Chatterjee:

A special thanks to Stoddard Manikin for

Dr. Dave Chatterjee:

his time and insights. If you like what you heard, please

Dr. Dave Chatterjee:

leave the podcast a rating and share it with your network. Also

Dr. Dave Chatterjee:

subscribe to the show, so you don't miss any new episodes.

Dr. Dave Chatterjee:

Thank you for listening, and I'll see you in the next

Dr. Dave Chatterjee:

episode.

Introducer:

The information contained in this podcast is for

Introducer:

general guidance only. The discussions assume no

Introducer:

responsibility or liability for any errors or omissions in the

Introducer:

content of this podcast. The information contained in this

Introducer:

podcast is provided on an as is basis with no guarantee of

Introducer:

completeness, accuracy, usefulness, or timeliness. The

Introducer:

opinions and recommendations expressed in this podcast are

Introducer:

those of the discussants and not of any organization.

Chapters

Video

More from YouTube