📍
Introduction
📍 Hi, I'm Drex DeFort, a recovering CIO from several large health systems and a longtime cyber advisor and strategist for some of the world's most innovative security companies. And now I'm president of This Week Health's 229 Cyber and Risk Community. And this is Unhack the Podcast, a mostly plain English, mostly non technical show about cybersecurity, and RISC, and the people in process and technology making healthcare more secure.
A special thanks to our partners, Intraprise Health, Fortified Health, Order, and CrowdStrike for helping us cut through the noise in this ever evolving cybersecurity landscape. Thanks for being part of the community, and now this episode of Unhack the Podcast.
📍
The Importance of CISO-CTO Relationships
I've spent a fair amount of time in phone calls and Zoom calls and podcast recordings and 229 summits and city tours this year, hearing from health system leaders, including CIOs and CISOs and CTOs. And while opinions vary, it's the peer relationship between CISOs and CTOs that seems to have a big role in whether or not cybersecurity efforts at a health system are a success or a failure.
For the CTO, they and their teams are doing their very best to keep everything up and running smoothly with a goal of creating minimal disruptions for clinical business and research teams. And they're working a huge number of projects. And on top of that, they're handling lots of unexpected pop ups, adding to the stress of the job.
And some of that stress is absolutely tied to cybersecurity. CISOs, on the other hand, or the hand that's right next to the first hand, They're running their programs, often working closely with clinical, business, and research operators to find the best way to make sure they're compliant with security and privacy mandates.
They're working with organizational leaders to define risk and mitigate that risk, and doing daily hand to hand combat with adversaries who are trying to break healthcare operations, steal data, and harm patients and families. But there are just times when the CISO and the CTO have conflicting priorities.
And when that happens, it's the quality of the relationship and the amount of empathy that helps keep that relationship intact. And maybe makes it stronger. See, conflict isn't a bad thing. It's a natural thing. It's the way that you handle that conflict that can make it feel good or bad. And as a result, it can have a negative or hopefully positive impact on the organization and in turn patients and families.
During my days as a health care exec, I remember walking into conference rooms with my direct reports and sometimes my direct reports, working together to solve some really incredibly difficult problems facing us. And we would have some of the most rambunctious knockdown drag out debates you've ever heard.
Always respectful, But sometimes emotional, and they could get loud. They could get loud enough that from time to time, the HRVP who worked down the hallway from our conference room he'd ask me about these really noisy meetings afterwards. And I would tell him that I thought that the noise was an indication of the passion of those in the room for the mission.
And the opportunity for clear, although sometimes loud, communication allowed for a better view of the problem and the options and ultimately the solutions that were best for patients and families. And in all of it, nobody was hurt. In fact, nobody's been hurt. Feelings were even hurt. Most everyone was actually happy to have an environment where they could safely air their grievances, talk about their challenges, talk about the conflicts that were inherent in the work that we were doing.
And in the end, they all understood that through practice, that they were safe in that room and that their comments wouldn't be held against them later. And that once we made a decision in that room, we all understood what went into it and the risks of the decision. And if you didn't like it, You are still an advocate.
And you could explain the decision. That kind of openness didn't happen immediately, of course. We had to have some good informal and formal orchestra conductors in those rooms who played their part, sometimes agitating others in the room to get the real issue out on the table, sometimes calling for a break when the discussions Became a little too intense, but it was all for good and it built trust and understanding and empathy and it made for a better group dynamic and it made for a better one on one relationship between the leaders in that room.
So in this episode, I asked the CXOs I interviewed for their best advice in managing the important relationship between CISOs and CTOs, how to make it successful. Even when times are tough. You'll hear from Michael Meis, Associate Chief Information Security Officer at the University of Kansas Health System. Hugo Lai, CISO, Temple University Health.
Dr. Jesse Fasolo, Head of Technology, Infrastructure, and Cybersecurity at St. Joseph Health. And Dee Young, Chief Information Security Officer at UNC Healthcare. And then we'll wrap up with Shana Hofer, the CISO at St. Luke's in Boise. The two of us will do a little post podcast discussion. You'll hear her thoughts about maintaining that CTO CISO relationship.
There's some really great insights in here from some really solid healthcare cyber leaders. Don't blink. It'll go fast. It's relationship management time on Unhack the 📍 Podcast.
Michael Meis: Healthy Friction
📍 📍 📍 The most important thing to realize, first of all, is that friction, that inherent friction between a CISO and a CTO, is not only healthy, but necessary. And I think that's an important mindset shift for CISOs to understand is that when you realize that it's supposed to be that way, you don't view it as this negative thing that you have to overcome.
It's a positive thing that you need to embrace. Because if a CTO was trying to do the same thing a CISO is, or a CISO is trying to do the same thing a CTO is, the pendulum will swing too far to one side of the fence, and you'll either move too slowly and not meet the needs of the organization, or completely abandon security and move with a reckless path forward.
So understanding that friction is healthy, I think is the first and most important step for any CISO to understand. And then after you understand that, it just becomes your normal way of operating as a CISO in a modern environment, you have to have open communication with your CTO, take time to understand their perspective, take time to understand that the goals that they're trying to achieve and the goals of the organization and , what is actually trying to be accomplished.
And then working backward from attempting to secure those objectives. Because what often happens, At the end of the day is when you take that time to understand it, you realize that you have more shared objectives in common than what you realized at the outset. And so if you're taking that time to really understand those perspectives, as well as share your own, it's a lot easier to find that middle ground.
And then the second part of it is just that education piece. Nobody outside of security is studying the latest security trends and the latest ways that technology is being abused. And so it's up to us to educate our counterparts on those modern techniques, those modern attack paths, and how their best, intentioned technology can be turned against them.
And then finally, and it's the word everybody in security hates, but learn to compromise. Understand where the middle ground is, understand where you cannot compromise, and understand where you can compromise to be able to find that middle ground. And then stand your ground on the stuff that, absolutely cannot, be compromised on.
You stand your ground on MFA on external facing, services, you stand your ground on unsecured RDP, but then you start to make exceptions where it makes more sense for your organization and where it doesn't create a lot of unnecessary risk and still enables the organization to meet those objectives.
📍 📍 📍 📍
Hugo Lai: Proactive Relationship Building
it's always best to build that relationship up front with your CIO, CTO, the ones that who you're going to be working with on a regular basis, you don't want to get to know them after there's an issue. So building that relationship is key. The second is also try to understand from their perspective what are some of the projects or initiatives that they are working on, right?
And normally I would also build my cybersecurity program with some flexibility in there. So try to make it very nimble. And as the opportunity arise I would partner with the CIO or CTO on those various projects. Typically in the past I found that to be 📍 very effective.
📍 📍 📍
Jesse Fasolo: Building Effective Relationships
it's interesting the relationship to build between CISO because they need each other to be successful. And the CIO needs both of those individual roles to work very well together. For my position handling both the technology and the cyber stack in my current organization, I've blended that within myself.
But for advice for others. I'll give it both ways. One way, from a highly technical perspective, learning the technology over the past 10 years technology professionals, CTOs included, need to understand that cybersecurity, the requirements thereof being passed down them, are required nowadays.
They're not something nice to do, nice to have. We'll think about it, we'll do it later. The CTO, when provided insights, To how to configure something or best practices or suggestions or standards or frameworks that are to be followed, it's something that they need to align with and they need to adapt.
And understand that their technology is susceptible. So is all software. So is all people. So if you think about it from that perspective, the CTO really is awaiting change configurations or change requests from the CISO on that technical level, from a, relationship. Perspective a CTO in itself can't obviously do that and succeed.
And if they move forward, the CISO would start reporting out that things aren't getting done or, there's a deadline or there's something not being done because of the CTO and their capabilities or inabilities to deliver. So obviously you need to align, you need to plan out, coordinate and build that relationship.
From the CISO perspective. I find it more difficult because the CISO sometimes is not technical. The CISO sometimes is provided or fed information from resources and sources out there, and sometimes they don't understand the technology and what's going on. required of the organization or the people or the staff to facilitate some of these changes and or don't recognize the outage or impairment or issues that can be downstream to the patient or to the organization in general.
For example, if you're enabling certain levels of encryption and product that is currently in the environment is not capable, but the CISO is saying, you need to do this regardless, I don't care. Obviously, you're going to, one, cause problems for operations. You're going to cause impact to the patient or to the organization.
And any down system is now the fault of not only the CTO for supporting it, but the CISO for making the recommendations that require them changes. So that's that, dynamic where you have left and right trying to work together in the center. So I think you said it yourself, relationship is one of the most important things and building that relationship, having a continuous cadence.
is important. In smaller organizations like my own that I served it makes sense to have both roles reporting to one individual because then you can build a relationship and you can make the teams work well together. But that's the, most important is building that initial relationship, understanding that when one of those individuals moves forward, the other one has to move forward at the same time.
And I think that's just a high level perspective, but it's relationship building one on one,
📍 📍 📍 📍
Dee Young: Pivotal CISO-CTO Partnership
it's one of those relationships that's so pivotal for the CISO. I think in my case coming from multiple healthcare organizations, I was able to watch my mentors handle the relationships. And then coming into my current role it was an interesting dynamic.
So again some of you might or might not know, I started right when COVID started. So my CTO was busy I came in and they were busy redesigning the network, trying to figure out virtual nursing trying to figure out a telemedicine. So that was an interesting time period for us both.
But I think as time has progressed, it's become one of the most critical relationships for me. I think The technical acumen that the CTO brings as well as their team has to be such a pivotal partnership with the CISO and the security office and that we're really working in tandem. They're actually doing the operational boots on the ground, and we're really trying to protect the organization, and as in healthcare, it's so dynamic, it's moving all the time.
We have vendors that are wanting to do crazy things, and so a lot of times it is really the relationship that I count on the most as far as making sure that I'm making sense with some of my decisions.
Got it. What about the the care and feeding of the relationship long term? What are some of the special things you do to make sure everything stays okay over time?
The hardest thing or the thing that I had to work on the most because I came in into an organization where the CTO had been here for years and years. So I was the new gal. The biggest thing that I had to work on was really just proving myself. And also creating that environment of trust, not only with him, but also his staff, so that they understood where I was coming from, that I also really worked to value the history of the organization, and the tribal knowledge that they all knew, that obviously I, I wouldn't know coming in but it's, definitely a layered approach.
Not only the CTO but working with his staff and making sure that there's alignment. I think there's also something that I really try to coach my staff in, that there shouldn't be an adversarial relationship. This should really be a partnership and, especially in healthcare, we're all trying to do such a hard job that it's It's something that I work really hard at to, to try to build that trust from, every employee all the way up to the 📍 CTO.
📍 📍 📍
Recap with Shawna Hofer
Hi, I'm Drexan, this is Unhack the Podcast, and I'm joined, today by Shana Hofer, CSO at St. Luke's. Hi, Shana.
Hi, Drex, thanks for having me back. Of course, so this is the part of the show where we talk about the stuff our guests just talked about, and then we talk about them.
And I also get to hear your views of the story of the CISO CTO topic. First impressions, what did you think? I reflected on it at a high level and went I'm sensing a similar trend as with the CISO stories. And that, first of all, it seems like CISOs are generally aligned. lot of the outcomes of those conversations, in my mind, were all about relationships and collaboration connecting, connection, and I think that, in my mind, tied back to the stories, one that we talked about with the board.
At a very, high level, I thought it was great to see that alignment.
So one of the things that sort of struck me that I talk about in the opening of the show, but was reinforced by Michael Meis, and that was the conversation about friction, and about how people are afraid of that friction, and they don't like it, and so they try to avoid it.
But he asserts that the friction is actually a really important part of the process. And he's the only one who really highlighted on that. I think the rafts were really just focused on trust and relationship building. I found that to be interesting. Yeah, I liked his point.
I am going to ask you this the question too, sometimes a lot of the conversation that we have, your, relationship or your opinion about these things comes out to, he talked about the balance and the balance that needs to be created because the friction comes out.
creates the balance and makes the balance stay in balance so that you're not overclocked on the CISO relationship or overclocked on the, no, don't touch anything because we have to keep everything up and running. There's probably a happy medium there. You see the same thing, I'm sure.
Yeah. I have such a great relationship with my CTO equivalent.
And so it was interesting listening to him to that lens because I was questioning whether we had good balance, right? Do we lean too far in either direction because we have that intent to support each other? . And it was a good reflection on whether you have that tension and recognize it being healthy or whether you have a really healthy relationship and need to check whether you have enough tension.
Like I think it's a good check way.
Uhhuh does it. There's things obviously he talks about. There's stuff you have to stand your ground on. And then there's stuff that maybe you can be Yeah. A little more flexible and timing and all of that. You have that experience. I know.
Absolutely.
What I loved about what he said is he talked about that need to be flexible in tandem with understanding what their projects are and understanding how you can support their projects. And that to me was key because and, this I wonder how this is different in different reporting relationships, but I'm on the same team as the CTO, so we both report to the CIO, and in many regards, we look at overall initiatives in the IT department as we're all in it together, right?
So when we talk about the need to resource adjust and prioritize, we're doing that from a holistic view, and when it comes to my push or the cyber push to the CTO on needing to come around some cyber issues, we try to address that flexibility and that partnership through the lens of, what do you need from me?
So in the past, I've gone and got resources for that team, right? Of hey, I need to step up, I need them to step up their game in patching. They need help. They need resources. I'm asking on behalf of cyber for this resource in this org. So I think those are some different ways that, I would apply, what Michael said.
Yeah, Jesse Fasolo talks about that too. Hugo Lai talks about it in the terms of, empathy, I think, right? That you're listening to each other, you understand what each other needs and that you take that into account. I know that during my time as a CIO, and Jesse Fasolo talks about this, so does Dee Young, there's a real opportunity.
As you said, to understand what your CTO is struggling with and use your position as a CISO to help lobby for the right resources that help them get the job done and take care of the patching or the other the upgrades or the other thing.
Exactly right. Yeah. And I thought what was
interesting in, what Dee mentioned as well is she referenced.
a little bit more coming into it nuetral. So a part of her journey was having to dig in deep and understand, not just the projects that they're working on, but the context and the history of the organization. And so as she's learning it through that lens, I think really gives her that unique opportunity to, Come at it with I'm really just here to partner, right?
Like I'm not as in it as you are, cause I have been here in building it, but I'm coming in as a brand new partner and I still want to help. I thought that offers a unique and cool way.
Yeah, you've done that. Come in as a. Come into a new place and there's a lot of reasons sometimes that things are dysfunctional and don't work the way that they should.
And, Dee really did make a great point about coming in and listening and asking a lot of questions and learning.
Yeah, you bet. I thought overall though, trust, like the word trust, relationship, Collaborative, Jesse talked about the cadence of kind of those meetings and how important that is, I think, to stay consistent.
It was, I thought I, I agreed with everything that. They all brought up.
What about the technical part of this, right? The, does the CISO need to be technical or more technical because of the conversations that are happening? So that they don't, I mean for a lot of different reasons, but what do you think about that?
Yeah, I think this is interesting and coming from myself who I don't consider to be deeply technical, CISO this is, this can be a hot topic that certainly charges folks, but I think what's interesting to me in that lens is if you're not a technical CISO, I think that you have to do enough of the homework and enough of an understanding to be able to speak the language.
That's your responsibility, at least at the higher strategic level. Risk based level, and the detail, the granular pieces of it certainly, I think, can come from various resources that are trustful and that you can pull their feedback input from.
But if you can't speak that language at all, I think it does add some challenges in it. But I think that goes both ways. I think the CTO has to be able to speak a little cyber or a little compliance, right? And so it's I think that's just kind of part of leadership at that level is learning to adapt and speak to each other's needs and I think that's in every role.
Yeah, that I don't remember who it was. It may have been Jesse talked about like you spend your day and nights and weekends, all you're thinking about your team's thinking about security. You're learning about all the latest breaches and all the things that are happening and all the vulnerabilities that are out there.
So part of your job and the CTO's job is to teach and to help them understand that when you say something's urgent. I'm not messing around. It's actually, there's a real problem. This has been exploited in the real world, and we have this exposure, and I need here's why I'm asking you to do this.
And , that really creates the trust that you're talking about.
And I think that goes back to the, the undiscussables, or the ones that you're not willing to flex on, right? Why are you not willing to flex on those?
And you have to make sure that there's an alignment and understanding. And then the rest is all just dialogue.
Yeah, And the CTO too. Yeah, exactly. On the CTO side too, right? There's look, we literally, we cannot do this right now because of whatever. There's another thing going on.
Have a go live that weekend on this thing that you're trying to, tinker with. Exactly right. Yeah. Tell me about your story with your, counterpart your, co collaborator and all of this. And and what advice and guidance do you have for folks who are listening?
I hinted at it a little bit. Him and I have an incredible relationship and I think that's a large part in time and investment, right? We've both been at St. Luke's for a very long time and we are both mutually invested in not just the mission of the organization, but in the security of that mission.
And so it makes my job a little bit easy. He's such a strong cyber advocate. In fact, we recently both presented at the board together and. We're able to speak to the work that our team, again, is doing together. And so for me, I took away from this, I think I've nailed it on the relationship side, right?
We've got that, we've got the trust, we've got the collaboration, the flexibility. I think we do a good job at that. I think what, I'm even going to take away from this myself is, do we have enough tension? I would love to go back and say, to my CTO is, do you push back on me enough?
And am I pushing on you enough? And, is there anything that we can do better for the organization in that regard? But I think that being part of the same team, I know there's a lot of feelings about whether the CISO should report to the CIO and such, and I think it really just depends on the organization, but at least for us, it works really well, again, that concept of We're all on the same team and we have the same goals, and so how do we leverage the resources across our entire organization to accomplish that, is really helpful for us.
In Jesse's particular case, they've combined the position into one person. And I see that happening in a few places, right? Yeah. There's a few CISTOs out there. There are. One of our good friends, Stephen Ramirez at Renown has become a CISTO and he's funny in the way that he introduces himself sometimes in that role.
Almost like I have to argue with myself. I think we've heard him say it. I thought I almost heard Jesse say it, like this internal conflict that has to exist there.
Any advice for folks that are listening about the specific care and maintenance of the relationship over time, things that you've done that have continued to build and create that trust that's there?
Yeah, I think it goes back to, I think what Hugo said of that be willing to be a partner, right? Be flexible and be willing to compromise a little bit on, on your project if it means helping them accomplish theirs. And like I said, in my, in some of my examples, it's been going to resources or it's been adjusting timing or priorities, I think, but really that mindset of you're all in it together and this isn't.
Only about cyber, I think is, has got to be number one for me in terms of, advice. Yeah. Yeah.
Thanks for your time today. I really appreciate you coming on, doing the post game wrap up. I always have fun with you and you're really good at this, by the way,
oh, thanks, but I didn't ask you, Drex.
Drex, is there any advice that you participated in seeing as a CIO between a CISO and CISO or CISO? CTO that you would like to partake onto us?
All of the advice that was given was a really great advice. I think building the relationships early and having a good that, that good, that good tension of it's okay if you go in a room and have a knockdown drag out fight, as long as it's respectful and it's not personal it helps get all of the Whatever the real ugliness is about why we can't agree on this, it helps get it all out on the table so that you then you really have perspective about, okay, we have a problem, but it's not the one I thought we walked into the room with, right?
There are some other things that are going to keep us from being able to agree on this, to agree on this. And, Maybe here's how we can remold this clay so that it works for both of us. Or it works well enough that we can then sit down with executive leadership and explain why we can't do this on the timeline that they've asked or any of those kinds of things.
Yeah, empathy and and that good tension I think is a good thing to come out of this. I agree. No, that's awesome. Love it. Yeah. Start early. That's what you said. Yeah, exactly. Okay. Thanks for doing this. I appreciate this on Hack the Podcast with my co host, Shauna Hofer. And we'll see you again really soon.
See you next time. Thanks, Drex.
📍 📍
Outro
That's a wrap for this episode of Unhack the Podcast. Do me a favor and share this episode with your peers. And by the way, your feedback matters, so please subscribe and rate and leave a review wherever you listen to podcasts. Huge shout out to our sponsors, Intraprise Health, Fortified Health, Order, and CrowdStrike for supporting our mission to transform healthcare one connection at a time.
Find out more about their work at thisweekhealth. com slash partners. I'm your host, Drex DeFord. Thanks for spending some time with me today. And that's it for Unhack the Podcast. As always, stay a little paranoid. I'll see you around campus.