Cybersecurity is Patient Safety
"Cybersecurity is patient safety and patient safety is cybersecurity," is how Stoddard Manikin, Chief Information Security Officer, Children's Healthcare of Atlanta, described the significance of cybersecurity readiness in the healthcare sector. Speaking with exceptional clarity and eloquence, Stoddard traced the evolution of the cybersecurity threat landscape and governance approaches, before discussing in detail what it takes to succeed as a modern CISO.
To access and download the entire podcast summary with discussion highlights --
https://www.dchatte.com/episode-13-cybersecurity-is-patient-safety/
"Cybersecurity is patient safety and patient safety is cybersecurity," is how Stoddard Manikin, Chief Information Security Officer, Children's Healthcare of Atlanta, described the significance of cybersecurity readiness in the healthcare sector. Speaking with exceptional clarity and eloquence, Stoddard traced the evolution of the cybersecurity threat landscape and governance approaches, before discussing in detail what it takes to succeed as a modern CISO.
To access and download the entire podcast summary with discussion highlights --
https://www.dchatte.com/episode-13-cybersecurity-is-patient-safety/
Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast
Please subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.
Connect with Dr. Chatterjee on these platforms:
LinkedIn: https://www.linkedin.com/in/dchatte/
Website: https://dchatte.com/
Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338
Introducer:
Welcome to the Cybersecurity Readiness Podcast
Introducer:
Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of
Cybersecurity Readiness:
A Holistic and High-Performance
Cybersecurity Readiness:
Approach by SAGE publishing. He has been studying cybersecurity
Cybersecurity Readiness:
for over a decade, authored and edited scholarly papers,
Cybersecurity Readiness:
delivered talks, conducted webinars, consulted with
Cybersecurity Readiness:
companies, and served on a cybersecurity SWAT team with
Cybersecurity Readiness:
Chief Information Security officers. Dr. Chatterjee is an
Cybersecurity Readiness:
Associate Professor of Management Information Systems
Cybersecurity Readiness:
at the Terry College of Business, the University of
Cybersecurity Readiness:
Georgia, and Visiting Professor at Duke University's Pratt
Cybersecurity Readiness:
School of Engineering.
Dr. Dave Chatterjee:
Hello, everyone, I'm delighted to
Dr. Dave Chatterjee:
welcome you to another episode of the Cybersecurity Readiness
Dr. Dave Chatterjee:
Podcast Series. Today, our guest is Mr. Stoddard Manikin, Chief
Dr. Dave Chatterjee:
Information Security Officer, Children's Healthcare of
Dr. Dave Chatterjee:
Atlanta, with over 18 years of progressive experience in
Dr. Dave Chatterjee:
information technology, security, and privacy. Stoddard
Dr. Dave Chatterjee:
specializes in advising complex organizations on security
Dr. Dave Chatterjee:
topics, including regulatory compliance, integrating
Dr. Dave Chatterjee:
information security with enterprise risk management, and
Dr. Dave Chatterjee:
identity and access management. So we are truly privileged to
Dr. Dave Chatterjee:
have a subject matter expert with us. Stoddard, welcome!
Dr. Dave Chatterjee:
Thanks for making time for this podcast.
Stoddard Manikin:
Thank you, Dave. It's great to be here.
Dr. Dave Chatterjee:
So given the amount of time you've spent
Dr. Dave Chatterjee:
as a cybersecurity professional, I'm sure you've seen a lot over
Dr. Dave Chatterjee:
the last 25 years in the cybersecurity space. How would
Dr. Dave Chatterjee:
you capture the evolution of this phenomenon and what has
Dr. Dave Chatterjee:
stayed with you by way of lessons learned?
Stoddard Manikin:
I think that cybersecurity has evolved
Stoddard Manikin:
dramatically, since I've been involved in the 1990s. And and
Stoddard Manikin:
that's true of so many aspects of, you know, modern life. But
Stoddard Manikin:
in particular, we didn't used to call it cybersecurity, either.
Stoddard Manikin:
We used to call it you know, information security or even
Stoddard Manikin:
data security. So, the name itself has changed over time to
Stoddard Manikin:
reflect what, what the world thinks of it. But I think that,
Stoddard Manikin:
most importantly, it's, it's captured the imagination, much
Stoddard Manikin:
more. So it's kind of follow that hype train, if you will,
Stoddard Manikin:
that popular culture typically does where something is
Stoddard Manikin:
marginally understood by the masses. And then some tiny
Stoddard Manikin:
aspect of it is used to appeal to the masses. Like if you look
Stoddard Manikin:
back many years ago, when they were hacker movies coming out of
Stoddard Manikin:
Hollywood, and everything was just super oversimplified and
Stoddard Manikin:
glorified. And it made everybody fear that these hackers were
Stoddard Manikin:
everywhere. And they could get in and steal all your
Stoddard Manikin:
information by guessing a couple of passwords, right. So now I
Stoddard Manikin:
think we've gotten to a point where most people realize
Stoddard Manikin:
there's not just somebody hiding in a basement somewhere with a
Stoddard Manikin:
dial up modem cracking into all these different organizations. I
Stoddard Manikin:
mean, now we're talking about organized crime, state sponsored
Stoddard Manikin:
actors, you know, script kiddies, renting ransomware as a
Stoddard Manikin:
service and using it to make money. And it is truly a college
Stoddard Manikin:
cottage industry, where at this point, a lot of these
Stoddard Manikin:
ransomware-as-a-service will not only provide the software, but
Stoddard Manikin:
also they include English speaking help desks to help
Stoddard Manikin:
their payers figure out how to buy bitcoin and pay the ransom.
Stoddard Manikin:
So it's a tremendous evolution in terms of the threat
Stoddard Manikin:
landscape. And it's also remarkable evolution from the
Stoddard Manikin:
perspective of practitioners like ourselves. So the
Stoddard Manikin:
specialization is significant. Whereas 20 years ago, you might
Stoddard Manikin:
have one security person or maybe just a network person who
Stoddard Manikin:
dabbled in security, and they had to learn how to do it all.
Stoddard Manikin:
And the expectation for management was that one person
Stoddard Manikin:
could do it all. And and now you have specialization of positions
Stoddard Manikin:
in cybersecurity much like you do in the medical field, where
Stoddard Manikin:
you wouldn't want to hire, say, a surgeon to look at common
Stoddard Manikin:
colds. Right? What is the point of that? Nor would you want a
Stoddard Manikin:
general practitioner doing surgery? Well, it's a lot like
Stoddard Manikin:
that in cybersecurity, there are certain positions where you are
Stoddard Manikin:
trained to do certain things, and you are not necessarily an
Stoddard Manikin:
expert to do others. And so that specialization has become very
Stoddard Manikin:
traumatic in the industry. And unfortunately, we still have a
Stoddard Manikin:
ways to go in convincing non-practitioners of this
Stoddard Manikin:
specialization importance because we still see job
Stoddard Manikin:
postings out there looking for a security professional and
Stoddard Manikin:
they're expected to do the work of eight different people. So I
Stoddard Manikin:
think that's that's kind of the next step of the evolution. It's
Stoddard Manikin:
that recognition of the variety of specializations in
Stoddard Manikin:
cybersecurity, and that no one person can do them all.
Dr. Dave Chatterjee:
You captured the the landscape very,
Dr. Dave Chatterjee:
very well. I couldn't agree with you more. Talking about
Dr. Dave Chatterjee:
specialization, getting the right people for the right kinds
Dr. Dave Chatterjee:
of roles in cybersecurity is very critical. And there are
Dr. Dave Chatterjee:
challenges there. But, at the same time, you also need the
Dr. Dave Chatterjee:
non-cybersecurity professionals, the members of the organization
Dr. Dave Chatterjee:
to also do their part. Don't you agree?
Stoddard Manikin:
Absolutely. Cybersecurity is everyone's
Stoddard Manikin:
responsibility within an organization. It's to the point
Stoddard Manikin:
where in my opinion, certainly every IT job description, should
Stoddard Manikin:
have some type of security requirements written into it.
Stoddard Manikin:
Because I think we're past the days where you have a few people
Stoddard Manikin:
in a room providing all the security to the organization,
Stoddard Manikin:
and it's just up to them to take care of it. It's now a central
Stoddard Manikin:
team coordinating cybersecurity for an organization, but
Stoddard Manikin:
directing a lot of different players. And when it comes down
Stoddard Manikin:
to it, people are the easiest way to breach an organization's
Stoddard Manikin:
security defenses. So it's incumbent on every organization
Stoddard Manikin:
to train all of their users that have access to IT resources, and
Stoddard Manikin:
equip them with the knowledge and awareness they need, so that
Stoddard Manikin:
they can be prepared, should someone target them with some
Stoddard Manikin:
kind of attack or attempted attack.
Dr. Dave Chatterjee:
Yeah, the human element in cybersecurity
Dr. Dave Chatterjee:
is so significant, I like the way you framed it. I couldn't
Dr. Dave Chatterjee:
emphasize more what you just said, everyone has a role to
Dr. Dave Chatterjee:
play, and they must be trained accordingly. You know, I've been
Dr. Dave Chatterjee:
doing research in this area, I've authored a book I consult
Dr. Dave Chatterjee:
as well. One of the things that I see across the spectrum, is a
Dr. Dave Chatterjee:
varied approach to cybersecurity awareness and training. In some
Dr. Dave Chatterjee:
organizations, it's about checking the box and doing the
Dr. Dave Chatterjee:
required training once or twice in the year. It's kind of broad
Dr. Dave Chatterjee:
based, a hit or miss approach. And then there are other
Dr. Dave Chatterjee:
organizations where they have a more role focused training. In
Dr. Dave Chatterjee:
your experience, what have you seen? Or what are you seeing?
Dr. Dave Chatterjee:
And what are your recommendations when it comes to
Dr. Dave Chatterjee:
cybersecurity awareness and training?
Stoddard Manikin:
It's a great question, because it's so
Stoddard Manikin:
relevant. And I think that what you were describing where an
Stoddard Manikin:
organization might provide, perhaps an onboarding training,
Stoddard Manikin:
when they first start to say, Hey, don't give your password
Stoddard Manikin:
anyone and here's how you enroll and password reset and, and
Stoddard Manikin:
watch out for phishing attempts. That's, like maturity level 1.0
Stoddard Manikin:
And table stakes. Right? You have to do that on their first
Stoddard Manikin:
day, of course. But from there, it requires consistent
Stoddard Manikin:
reinforcement of the topic, and reminders for people because
Stoddard Manikin:
human beings typically can't retain information forever after
Stoddard Manikin:
hearing it once. And so what I find to be most effective is to
Stoddard Manikin:
start off with that kind of onboarding training, that
Stoddard Manikin:
background stuff, the context. And then what that does is it
Stoddard Manikin:
plants triggers, so that when the users hear future trainings,
Stoddard Manikin:
it reminds them Oh, yeah, that is important. And I remember why
Stoddard Manikin:
and I heard this before somewhere, but I can't quite
Stoddard Manikin:
make it out. And so over time, you build up that retention and
Stoddard Manikin:
awareness. And I think that minimum once a year type of
Stoddard Manikin:
training is what a lot of organizations do. And frankly,
Stoddard Manikin:
it's it's not enough depending on someone's job function and
Stoddard Manikin:
responsibility. So may be you do that for the majority of your
Stoddard Manikin:
workforce that rarely has to worry about security issues. But
Stoddard Manikin:
if you've got people processing an invoice and payroll, then
Stoddard Manikin:
they are specifically going to be targeted with business email
Stoddard Manikin:
compromise attempts constantly. And if you only train them once
Stoddard Manikin:
a year, you can't expect them to successfully repelled those
Stoddard Manikin:
tacks that have been honed and improved upon through 1000s of
Stoddard Manikin:
attempts around the world on a daily basis. So I find that
Stoddard Manikin:
providing them specialized training, giving them a forum to
Stoddard Manikin:
ask questions, testing them on it, perhaps even monthly with a
Stoddard Manikin:
simulation exercise is how you get the best behavioral
Stoddard Manikin:
response. The other part of that training is it can't just be one
Stoddard Manikin:
way when you're giving them the info, the next step is to test
Stoddard Manikin:
them on it. And then the step after that is to measure them on
Stoddard Manikin:
it. So for example, if you do a quarterly or a monthly phishing
Stoddard Manikin:
test, capture the results of that test, did people click on
Stoddard Manikin:
the link or enter their credentials? Did they open the
Stoddard Manikin:
attachment? Did they do nothing? Did they report the message
Stoddard Manikin:
proactively, which is the best behavior, and then report on
Stoddard Manikin:
those percentages by department by division by type of user to
Stoddard Manikin:
the leadership chain, and the data will help you figure out
Stoddard Manikin:
where your education is working, and where it needs to be
Stoddard Manikin:
improved.
Dr. Dave Chatterjee:
Fantastic means being able to measure the
Dr. Dave Chatterjee:
effectiveness of training is so critical. And I don't hear folks
Dr. Dave Chatterjee:
in your position emphasize this enough. In fact, the first time
Dr. Dave Chatterjee:
I'm hearing a CISO so emphatically, specifying the
Dr. Dave Chatterjee:
importance of measurement. Because, there's no point giving
Dr. Dave Chatterjee:
people training, if you're not being able to see the progress,
Dr. Dave Chatterjee:
or if you don't see the progress, what else can be done.
Dr. Dave Chatterjee:
In other words, you know, taking a very substantive approach, as
Dr. Dave Chatterjee:
opposed to check-the-box approach where you really want
Dr. Dave Chatterjee:
to see this, whatever training is being is being given is
Dr. Dave Chatterjee:
having an impact. Talking about measurement Stoddard, if we can
Dr. Dave Chatterjee:
go a little broader, as the CISO of your organization, and you
Dr. Dave Chatterjee:
don't have to be specific to your organization, you can be
Dr. Dave Chatterjee:
very generic. What are some metrics or KPIs that are being
Dr. Dave Chatterjee:
tracked or should be tracked?
Stoddard Manikin:
This is a very challenging one to answer.
Stoddard Manikin:
Because the, the audience that you're preparing the metrics
Stoddard Manikin:
for, has very different levels of understanding of them. So you
Stoddard Manikin:
know, if you think back to the old days, when you had a, a
Stoddard Manikin:
CISO, who was more of like a network security person or an IT
Stoddard Manikin:
security person, they would try out the metrics of, you know,
Stoddard Manikin:
the number of intrusion attempts and the number of things that
Stoddard Manikin:
got blocked at the firewall, and all very kind of technical,
Stoddard Manikin:
objective data that wasn't necessarily meaningful to the
Stoddard Manikin:
audience. I think there's a place for some of that data, to
Stoddard Manikin:
remain in your kind of dashboard reporting type of things,
Stoddard Manikin:
particularly for your executive team and your board. But I think
Stoddard Manikin:
you've also got to have some other really common sense
Stoddard Manikin:
measures in there. Things that are more related to the
Stoddard Manikin:
organization itself. Like, for example, if you have a strategic
Stoddard Manikin:
goal, to reach a certain level of maturity on a given maturity
Stoddard Manikin:
framework, then you might want to report on what your most
Stoddard Manikin:
recent third party assessment gave you as the maturity
Stoddard Manikin:
ranking. And whether that's up or down, and the areas where you
Stoddard Manikin:
improve the areas where you're still lagging, and so forth. You
Stoddard Manikin:
might also want include something along the lines of the
Stoddard Manikin:
number of IT audit findings that happened from an external audit,
Stoddard Manikin:
because I think that's important to to watch for trends. And then
Stoddard Manikin:
you can dive into the details either in the comment section or
Stoddard Manikin:
in follow up q&a, where you say, here's where the audit findings
Stoddard Manikin:
are, is it a same place as the last three years? And we're not
Stoddard Manikin:
fixing it? Or is a brand new place? Or is it a brand new
Stoddard Manikin:
field, like related to cloud security that's just so new that
Stoddard Manikin:
you don't have a handle on it yet. And I think that that way,
Stoddard Manikin:
your metrics can drive the conversation of where you need
Stoddard Manikin:
to focus and prioritize investment.
Dr. Dave Chatterjee:
Absolutely. In fact, you touched upon three
Dr. Dave Chatterjee:
things about performance measures. First is taking a
Dr. Dave Chatterjee:
holistic approach. In fact, when I look at my research, my book,
Dr. Dave Chatterjee:
I come at it from the standpoint of business value impact
Dr. Dave Chatterjee:
measures, productivity measures, extent of preparedness measures,
Dr. Dave Chatterjee:
audit and compliance measures. And there can be more. The
Dr. Dave Chatterjee:
second, the second thing that you talked about is equally
Dr. Dave Chatterjee:
important, what's the point of measuring, if we are not gonna
Dr. Dave Chatterjee:
review the results and act on them? So what mechanisms are in
Dr. Dave Chatterjee:
place to effectively and promptly review the findings and
Dr. Dave Chatterjee:
take action? And the third is, who is interested in these
Dr. Dave Chatterjee:
measures? And how important are these measures to them, as you
Dr. Dave Chatterjee:
know, in organizations, there can be a multitude of metrics,
Dr. Dave Chatterjee:
and often what gets measured is what is convenient to measure,
Dr. Dave Chatterjee:
not what needs to be measured. And I'm sure cybersecurity is
Dr. Dave Chatterjee:
not an exception to that situation. But, but yeah, the
Dr. Dave Chatterjee:
points are very, very well made. Moving along from the standpoint
Dr. Dave Chatterjee:
of CISO empowerment, essentially, the question is,
Dr. Dave Chatterjee:
what does it take to make a CISO, and when I say CISO, I
Dr. Dave Chatterjee:
mean the CISO function as a whole, effective?
Stoddard Manikin:
Well, that's an interesting one, too, because
Stoddard Manikin:
the role has changed over time, including its position in the
Stoddard Manikin:
organization and the reporting structure. And there is no one
Stoddard Manikin:
answer to this either. A lot of it depends on the organization
Stoddard Manikin:
and who's in the roles at that organization. I think that
Stoddard Manikin:
historically, a lot of CISOs came from, you know, one of two
Stoddard Manikin:
places, they came either from military and law enforcement, or
Stoddard Manikin:
they came from a network security type of background. And
Stoddard Manikin:
both of those types of backgrounds prepare you well.
Stoddard Manikin:
But unless you're able to expand your your perspective, and
Stoddard Manikin:
embrace a lot of other areas of the organization, you can't
Stoddard Manikin:
succeed as a modern CISO. I certainly need the fundamental
Stoddard Manikin:
technical background, to understand what people are
Stoddard Manikin:
telling me and what the implications are, I need to
Stoddard Manikin:
understand how law enforcement works, and when do I engage with
Stoddard Manikin:
them and how to do so effectively. But I also have to
Stoddard Manikin:
understand regulatory compliance, I have to understand
Stoddard Manikin:
audit, I have to understand finance, because when I'm trying
Stoddard Manikin:
to get a security product in house and implement it, I have
Stoddard Manikin:
to know how to budget for it, whether it makes more sense for
Stoddard Manikin:
us to capitalize it or subscribe to it and pay it out of opex, I
Stoddard Manikin:
have to know whether the training should be included or
Stoddard Manikin:
not depending on how we want to pay for things, and what the
Stoddard Manikin:
useful lifespan is going to be. So I've got to understand those
Stoddard Manikin:
financial implications. I also need to understand insurance,
Stoddard Manikin:
because cybersecurity insurance is a critical aspect of this.
Stoddard Manikin:
And then there's other areas as well, that you've got to have a
Stoddard Manikin:
broad understanding of. But first and foremost, the most
Stoddard Manikin:
fundamental thing you've got to know as the CISO is the business
Stoddard Manikin:
of the organization that you're in. Because if you don't
Stoddard Manikin:
understand how the business operates, what it does, how it
Stoddard Manikin:
earns money, how it spends money, where it really makes its
Stoddard Manikin:
profit, that funds other areas that have losses, then it's very
Stoddard Manikin:
hard for you to understand how to prioritize what security
Stoddard Manikin:
controls need to be put in place, and and also how
Stoddard Manikin:
restrictive you can be without cutting off the lifeblood of the
Stoddard Manikin:
organization.
Dr. Dave Chatterjee:
Security versus convenience, security
Dr. Dave Chatterjee:
versus mission of the organization, you have to find
Dr. Dave Chatterjee:
that balance. Very well said, Very well said. So I'd like to
Dr. Dave Chatterjee:
follow up on a couple of things you mentioned. You talked about
Dr. Dave Chatterjee:
law enforcement and regulatory compliance. And that brings to
Dr. Dave Chatterjee:
mind the role that the legal function plays. And if you think
Dr. Dave Chatterjee:
about it, when organizations are in trouble, many a times that
Dr. Dave Chatterjee:
leads to a lawsuit, they have to defend, you know, all that they
Dr. Dave Chatterjee:
have done to protect the organization, and so on and so
Dr. Dave Chatterjee:
forth. So doesn't it make sense to involve legal every step of
Dr. Dave Chatterjee:
the way? And is that too much to expect? Because when I pose this
Dr. Dave Chatterjee:
question to people in other organizations in your role, I
Dr. Dave Chatterjee:
get very different responses. And sometimes the responses are
Dr. Dave Chatterjee:
not very clear. So I want to know, from a practical
Dr. Dave Chatterjee:
standpoint, how feasible is is it to involve legal or to work
Dr. Dave Chatterjee:
with legal closely.
Stoddard Manikin:
I think it's not only feasible, but it's a
Stoddard Manikin:
requirement for survival of a sea. So I've always had
Stoddard Manikin:
excellent relationships with the legal officers of different
Stoddard Manikin:
organizations that I've worked with. And I think that it all
Stoddard Manikin:
comes down to the relationship that cybersecurity has with
Stoddard Manikin:
legal as far as how straightforward it is to engage.
Stoddard Manikin:
Now, I would not propose bringing everything to legal
Stoddard Manikin:
that happens, because so many things that that start out as an
Stoddard Manikin:
investigation turned into nothing, it turns into sure this
Stoddard Manikin:
looks really bad. It looks like someone just hacked us from
Stoddard Manikin:
Puerto Rico. And we don't have any operations there. But then
Stoddard Manikin:
you dig into the the details and the logs and you find okay, we
Stoddard Manikin:
actually had someone on vacation and they got a call and they
Stoddard Manikin:
were asked to login and do this. So you know, why would I alarm
Stoddard Manikin:
legal about that until I've done some due diligence around it?
Stoddard Manikin:
bring things to them that are real, or if they're significant
Stoddard Manikin:
enough that you don't know yet, but they need to be aware and
Stoddard Manikin:
involved early, then be clear with them that you don't know
Stoddard Manikin:
yet if this is real or not, but you're engaging them early so
Stoddard Manikin:
that if it becomes real, they'll have background and context and
Stoddard Manikin:
they are ramped up already.
Dr. Dave Chatterjee:
Very fair, very reasonable. But but it's
Dr. Dave Chatterjee:
also true that when you're formulating your cybersecurity
Dr. Dave Chatterjee:
strategy or let's say you're doing an annual review, that you
Dr. Dave Chatterjee:
get legal involved to provide y'all with a checklist or a
Dr. Dave Chatterjee:
guideline or the do's and don'ts just to make sure that you're
Dr. Dave Chatterjee:
always staying on the right side of the law. Is that is that a
Dr. Dave Chatterjee:
common practice common procedure? Or do you accomplish
Dr. Dave Chatterjee:
it in some other way?
Stoddard Manikin:
You know, I think it depends. Because
Stoddard Manikin:
really, what I'm interpreting, as you say, legal in that
Stoddard Manikin:
context is it's really about regulatory compliance, or even
Stoddard Manikin:
contractual obligations, right, because those are two different
Stoddard Manikin:
things that you have to think about as a CISO. And from a
Stoddard Manikin:
regulatory compliance perspective, you've got to think
Stoddard Manikin:
about the international implications, the national here
Stoddard Manikin:
in the US, we think about state and local, and then beyond the
Stoddard Manikin:
governmental regulations, if you do business in other countries,
Stoddard Manikin:
you might have GDPR if you're in Europe, and there's just it
Stoddard Manikin:
really gets complex quickly. States have individual privacy
Stoddard Manikin:
laws that you need to be aware of. And that's getting more and
Stoddard Manikin:
more complex. And then on top of that, you've got commitments to
Stoddard Manikin:
other partners that you have contracts with in terms of how
Stoddard Manikin:
quickly you need to notify them if you have some type of breach.
Stoddard Manikin:
And you even have industry regulations. So for example, in
Stoddard Manikin:
the credit card industry, there's PCI DSS, the Payment
Stoddard Manikin:
Card Industry Data Security Standard, that is not a
Stoddard Manikin:
government regulation, that is essentially a voluntary industry
Stoddard Manikin:
requirement, that if you want to accept and process credit cards,
Stoddard Manikin:
you must follow. But it's created by a consortium of
Stoddard Manikin:
credit card companies. And so that's just kind of another
Stoddard Manikin:
dimension there. And that's why I say when you say legal, it
Stoddard Manikin:
sounds to me like it's compliance. And in reality,
Stoddard Manikin:
that's not all coming from just one department, be it legal or
Stoddard Manikin:
compliance that's coming from four different departments, it's
Stoddard Manikin:
going to come from legal and the contracts aspect, and they'll
Stoddard Manikin:
have to handle typically the the government regulation. In terms
Stoddard Manikin:
of the industry regulation for PCI, that's going to be the
Stoddard Manikin:
finance division, it gets very complicated. And that's where I
Stoddard Manikin:
was saying earlier, it's really important for the CISO to have
Stoddard Manikin:
broad relationships everywhere. And and even if they come from a
Stoddard Manikin:
narrow background, to have very broad horizons in their
Stoddard Manikin:
thinking.
Dr. Dave Chatterjee:
Yep, that is that is very necessery for
Dr. Dave Chatterjee:
the kind of role of a CISO plays, which is highly
Dr. Dave Chatterjee:
interdisciplinary. And you and you talked about different types
Dr. Dave Chatterjee:
of regulatory requirements. Some are requirements. Some are
Dr. Dave Chatterjee:
industry regulations, industry expectations. So how do you stay
Dr. Dave Chatterjee:
on top of all this? Do you have a team that provides that
Dr. Dave Chatterjee:
guidance? Or is one particular person assigned to make sure
Dr. Dave Chatterjee:
that you're on top of all the different expectations from a
Dr. Dave Chatterjee:
compliance and other legal standpoint?
Stoddard Manikin:
Well, certainly, we're going to focus
Stoddard Manikin:
on the ones that are most relevant to us, above others.
Stoddard Manikin:
And for example, that would include the HIPAA security rule
Stoddard Manikin:
and the HIPAA Privacy Rule, the High Tech Act for health care,
Stoddard Manikin:
things like that. But But ultimately, what I have found to
Stoddard Manikin:
be effective is to find a framework, a security framework
Stoddard Manikin:
that incorporates multiple regulations and requirements, so
Stoddard Manikin:
that you can focus on meeting the framework design and measure
Stoddard Manikin:
yourself against that. And by doing so, you're going to cover
Stoddard Manikin:
the majority of your bases related to regulatory
Stoddard Manikin:
requirements. So for example, in healthcare, there's the high
Stoddard Manikin:
trust framework that you could adopt. And and I think a lot of
Stoddard Manikin:
organizations in the US in particular are using the NIST
Stoddard Manikin:
CSF the Cybersecurity Framework, these frameworks incorporate
Stoddard Manikin:
multiple regulatory requirements, some of them go
Stoddard Manikin:
above and beyond it. So you actually have to kind of be
Stoddard Manikin:
careful that you don't turn the wrench too tight on your
Stoddard Manikin:
organization. But it's a matter of picking that framework,
Stoddard Manikin:
laying it out, mapping what you do to the framework, figure out
Stoddard Manikin:
where you're doing well, where you need to improve and then
Stoddard Manikin:
measuring yourself on that.
Dr. Dave Chatterjee:
Okay, okay. Good to know, talking about the
Dr. Dave Chatterjee:
US healthcare industry, or you can, you know, go even further
Dr. Dave Chatterjee:
and talk about the global healthcare industry. There are a
Dr. Dave Chatterjee:
lot of reports out there that talk about how the landscape or
Dr. Dave Chatterjee:
the the areas of vulnerability are expanding because of the use
Dr. Dave Chatterjee:
of IoT devices, because of the complexity of these
Dr. Dave Chatterjee:
organizations. It's very hard to keep track of where the weak
Dr. Dave Chatterjee:
points are. In one particular report, they say there is enough
Dr. Dave Chatterjee:
evidence to suggest that US healthcare organizations lack a
Dr. Dave Chatterjee:
deliberate, organized, and comprehensive cyber resilience
Dr. Dave Chatterjee:
strategy. So with this kind of statements being made, I just
Dr. Dave Chatterjee:
wanted to get your sense of what is the state of cybersecurity
Dr. Dave Chatterjee:
readiness in the US in the US healthcare industry.
Stoddard Manikin:
So I believe that it's far better than it was
Stoddard Manikin:
in the past. But there's, of course still room for
Stoddard Manikin:
improvement. When you talk about healthcare as an industry, it is
Stoddard Manikin:
a massive ecosystem. There are providers, including large
Stoddard Manikin:
healthcare systems with multi hospitals and clinics that are
Stoddard Manikin:
standalone independent hospitals, there are physician
Stoddard Manikin:
practices, there are medical device manufacturers, there's
Stoddard Manikin:
even the insurance industry around healthcare. It is
Stoddard Manikin:
enormous, and it makes up a significant part of the United
Stoddard Manikin:
States GDP every year. So what we're talking about is just
Stoddard Manikin:
massive, and such different levels of sophistication. But
Stoddard Manikin:
when it comes down to it, Dave, cybersecurity is patient safety.
Stoddard Manikin:
Patient safety is cybersecurity. Now, historically, cybersecurity
Stoddard Manikin:
in healthcare was all about confidentiality, because you
Stoddard Manikin:
were concerned about having a breach of patient data,
Stoddard Manikin:
electronic protected health information, or ePHI, would be a
Stoddard Manikin:
HIPAA breach. And then, if affected more than 500 records,
Stoddard Manikin:
then you got on the HHS Wall of Shame website, where it was
Stoddard Manikin:
publicly known. You know what, it's not only about
Stoddard Manikin:
confidentiality, and I'm glad that it's not, it's much more
Stoddard Manikin:
about integrity, and most importantly, availability now,
Stoddard Manikin:
because now we recognize that, especially with ransomware,
Stoddard Manikin:
attacks, and similar types of things, systems become
Stoddard Manikin:
unavailable. And healthcare delivery, meaning providers,
Stoddard Manikin:
people touching patients, and taking care of them rely on
Stoddard Manikin:
electronic computer aided workflows. And if the systems
Stoddard Manikin:
are down, because some patch broke something or there's a
Stoddard Manikin:
ransomware attack, then you can't easily know a patient's
Stoddard Manikin:
blood type. You can't look at their medical records to know
Stoddard Manikin:
what history they have, what allergies they have, you can't
Stoddard Manikin:
get lab results back to know how to treat a patient. And
Stoddard Manikin:
sometimes that could result in a life threatening or life
Stoddard Manikin:
altering delay. So a patient can recover from a data breach, but
Stoddard Manikin:
they might not be able to fully recover from lack of care. So
Stoddard Manikin:
that's where I really want to emphasize that cybersecurity is
Stoddard Manikin:
patient safety. And we all have to take it seriously, regardless
Stoddard Manikin:
of where we are in that healthcare ecosystem. Now, to be
Stoddard Manikin:
fair, there is a significant disparity in healthcare systems
Stoddard Manikin:
based on size and resources and how prepared people are for
Stoddard Manikin:
cybersecurity impact, right. So those large multi hospital
Stoddard Manikin:
systems typically have more resources, and ability to deal
Stoddard Manikin:
with those kinds of things. Smaller community hospitals or
Stoddard Manikin:
systems might have less resources. Physician practices,
Stoddard Manikin:
if it's an independent practice, we've seen them close after one
Stoddard Manikin:
ransomware attack, because the physicians that work there said
Stoddard Manikin:
it's just not worth trying to recover. Because all our patient
Stoddard Manikin:
records are in that system, I'm going to retire. So there's
Stoddard Manikin:
really a significant impact if you're not ready to handle these
Stoddard Manikin:
kinds of things. And everybody's a little bit different. So I
Stoddard Manikin:
think one of the things we've got to move towards, and we've
Stoddard Manikin:
started to do so is to level the playing field in terms of
Stoddard Manikin:
ability to protect yourself against cybersecurity attacks.
Stoddard Manikin:
And that's where things like industry consortiums and
Stoddard Manikin:
government resources, help you do what you need to do, even if
Stoddard Manikin:
you don't have the same resources as someone who's
Stoddard Manikin:
bigger.
Dr. Dave Chatterjee:
Okay, that's good to know. And in
Dr. Dave Chatterjee:
terms of, you know, threat analysis, where you're kind of
Dr. Dave Chatterjee:
testing the recovery capability of your organization, how, how
Dr. Dave Chatterjee:
committed is the organization in doing these kinds of disaster
Dr. Dave Chatterjee:
recovery, business continuity planning. If you could, if you
Dr. Dave Chatterjee:
could expand on these approaches, strategies, let's
Stoddard Manikin:
Yeah, I think that testing your strategies and
Stoddard Manikin:
say?
Stoddard Manikin:
procedures is absolutely crucial so that you're ready to execute
Stoddard Manikin:
on them during an emergency. It's very similar to sports
Stoddard Manikin:
where if you have a team that just shows up once a week to
Stoddard Manikin:
play games, they are probably going to really struggle to do
Stoddard Manikin:
anything intricate on the field. You've got to practice all week
Stoddard Manikin:
long to get ready for that game. So when it comes to business
Stoddard Manikin:
continuity, disaster recovery, responding to a phishing attempt
Stoddard Manikin:
responding to a ransomware attack, any any of those major
Stoddard Manikin:
types of incidents that you are writing an incident response
Stoddard Manikin:
plan for, you should be testing that at some frequency. You
Stoddard Manikin:
could do a tabletop exercise twice a year and bring all the
Stoddard Manikin:
different people together that would be involved in a
Stoddard Manikin:
ransomware attack. You can you can do red teaming where you
Stoddard Manikin:
have offensively minded people on your team, try to break
Stoddard Manikin:
something or hack into a system, and then tell you what's wrong
Stoddard Manikin:
and what needs to be fixed. That's actually evolving from
Stoddard Manikin:
the old Red Team Blue Team, mild Blue team, or the defenders into
Stoddard Manikin:
a purple teaming approach, where the red team and blue team are
Stoddard Manikin:
in the same room working together. And the red team will
Stoddard Manikin:
say, here's how I would attack it, the blue team says here's
Stoddard Manikin:
how I would defend against it. And then they both go at it
Stoddard Manikin:
together as a kind of a blended purple team. And that actually
Stoddard Manikin:
has even better results than the older model. So there's so many
Stoddard Manikin:
different ways that you should be testing these things. But I
Stoddard Manikin:
agree with you, it's absolutely essential to do frequent tests
Stoddard Manikin:
of the most likely and largest impacting types of incidents,
Dr. Dave Chatterjee:
You know, you mentioned about audits. And
Dr. Dave Chatterjee:
that brought back memories; I used to be an auditor in my
Dr. Dave Chatterjee:
first career. We always do audit, it's like after the fact,
Dr. Dave Chatterjee:
and I have been a huge proponent of real-time audit, whether it's
Dr. Dave Chatterjee:
financial, whether it's security, because you want to
Dr. Dave Chatterjee:
know what the vulnerabilities are, what the weaknesses are, so
Dr. Dave Chatterjee:
you get an opportunity to fix it before it's too late. And
Dr. Dave Chatterjee:
there's no point reviewing historical facts, because you
Dr. Dave Chatterjee:
didn't get a chance to fix it. It's past now. What are your
Dr. Dave Chatterjee:
thoughts from the practicality of conducting real-time security
Dr. Dave Chatterjee:
audits?
Stoddard Manikin:
I think that it's becoming more and more
Stoddard Manikin:
commonplace. And like you said, it's better to be proactive.
Stoddard Manikin:
Now, I do think if you've had an incident, you should do a very
Stoddard Manikin:
thorough review root cause analysis and understand what
Stoddard Manikin:
happens so that you can make changes and it can't happen
Stoddard Manikin:
again. And at the same time, I think that there is a concept
Stoddard Manikin:
that's been around for decades in audit, called continuous
Stoddard Manikin:
controls monitoring, right? And so when we, as security
Stoddard Manikin:
professionals put a control in place, you think it's there, you
Stoddard Manikin:
think it's configured correctly, it's still operating
Stoddard Manikin:
effectively. But how often are you testing it to make sure and
Stoddard Manikin:
and so often, you put it in place, and you move on to the
Stoddard Manikin:
next thing without necessarily having a good operational plan
Stoddard Manikin:
to monitor it. So what I see becoming much more relevant
Stoddard Manikin:
lately, is this concept of CCM, the continuous controls
Stoddard Manikin:
monitoring, where you identify some key controls where if they
Stoddard Manikin:
were to fail, the impact could be significant, right? So high
Stoddard Manikin:
risk. And then from there, you figure out how are we going to
Stoddard Manikin:
monitor this are we going to set up some kind of alert to tell us
Stoddard Manikin:
if it fails, and it sends us an email? Are we going to
Stoddard Manikin:
physically test it ourselves every once a week, every day,
Stoddard Manikin:
every hour, we got to automate that and then only email us if
Stoddard Manikin:
it fails. That type of approach helps you identify weaknesses
Stoddard Manikin:
and vulnerabilities before someone else finds them and
Stoddard Manikin:
exploits them. And that's certainly one of my focus areas,
Stoddard Manikin:
is to identify what those key controls are, come up with the
Stoddard Manikin:
monitoring plan based on potential risk. And then make
Stoddard Manikin:
sure that we're proactively looking at them ourselves,
Stoddard Manikin:
before someone else finds them.
Dr. Dave Chatterjee:
Couldn't agree with you more, you got to
Dr. Dave Chatterjee:
be proactive. You've got to continuously monitor. You know
Dr. Dave Chatterjee:
Stoddard, as you are aware, based on the media reports, many
Dr. Dave Chatterjee:
of the breaches that have happened, large breaches, major
Dr. Dave Chatterjee:
breaches, the story goes that the organization was made aware,
Dr. Dave Chatterjee:
or a particular individual was made aware, who did nothing
Dr. Dave Chatterjee:
about it. Based on your experience in the field, how or
Dr. Dave Chatterjee:
why does that happen? It's almost borderline negligence.
Dr. Dave Chatterjee:
And that's what the courts have found time and again, in several
Dr. Dave Chatterjee:
cases, they have found organizations to be guilty of
Dr. Dave Chatterjee:
negligence. Can you speak to that?
Stoddard Manikin:
I sure can. And I also want to be very
Stoddard Manikin:
cautious because you can't always put yourself in someone
Stoddard Manikin:
else's shoes, especially after something has happened. Right?
Stoddard Manikin:
It's very easy to look back and say how did you not see this
Stoddard Manikin:
going on guys. But I also know that historically, there has
Stoddard Manikin:
been a certain amount of scapegoating that has occurred
Stoddard Manikin:
with CISOs, where they were not necessarily given the authority
Stoddard Manikin:
or the resources to fix problems. They've made
Stoddard Manikin:
management aware of them and management accepted the risk.
Stoddard Manikin:
And only when it became a public relations issue that the
Stoddard Manikin:
organization decide that oh, yeah, what we should have done
Stoddard Manikin:
something. Right. It's the traffic light mentality. You see
Stoddard Manikin:
car accidents happening at a corner, but until there's a
Stoddard Manikin:
really bad one that gets a lot of visibility, they don't pay
Stoddard Manikin:
the money for a new traffic light because it's incredibly
Stoddard Manikin:
expensive to put that in there and then maintain it. So you
Stoddard Manikin:
know, again, I I want to be cautious about that concept of
Stoddard Manikin:
negligence because it's really easy to throw that word around.
Stoddard Manikin:
And that's primarily a legal term that results in higher
Stoddard Manikin:
damages, particularly for publicly traded companies with
Stoddard Manikin:
shareholder lawsuits. What I can tell you from my experience, is
Stoddard Manikin:
that the amount and volume of alerts that come from a good
Stoddard Manikin:
mature security system of anywhere from 25 or more
Stoddard Manikin:
security tools, is enormous. And no matter how big your team is,
Stoddard Manikin:
it is a physical impossibility, to look at every one of those
Stoddard Manikin:
alerts and determine if it's real or not. So yeah, we need
Stoddard Manikin:
more automation, we need to use more machine learning and AI to
Stoddard Manikin:
handle that avalanche of data. But the reality is, is you get
Stoddard Manikin:
so many of these types of warnings, that you've got to use
Stoddard Manikin:
your judgment, and your artistic skills and your logic to figure
Stoddard Manikin:
out which ones are the most likely to be going on, and which
Stoddard Manikin:
ones need to track down in the limited amount of time and
Stoddard Manikin:
resources you have to deal with it.
Dr. Dave Chatterjee:
You know, that is, you know, very
Dr. Dave Chatterjee:
enlightening to know, it's a hard, hard job, no doubt. You
Dr. Dave Chatterjee:
you touched upon something that brings to mind another topic
Dr. Dave Chatterjee:
that is very close to my heart. And that's the possibility of
Dr. Dave Chatterjee:
joint ownership and accountability. And you just
Dr. Dave Chatterjee:
said that the CISOs, or the security professionals, are made
Dr. Dave Chatterjee:
scapegoats of incidents, they often lose their jobs. But yet
Dr. Dave Chatterjee:
we say cybersecurity is everyone's business, everyone
Dr. Dave Chatterjee:
has a role to play. How feasible is it to have structures and
Dr. Dave Chatterjee:
mechanisms where there is some level of joint ownership and
Dr. Dave Chatterjee:
accountability both within the organization, as well as when
Dr. Dave Chatterjee:
you're partnering up with vendors, where the vendor
Dr. Dave Chatterjee:
organization also has a stake in ensuring your data is secure on
Dr. Dave Chatterjee:
their servers. Your thoughts?
Stoddard Manikin:
I think that I have been much more successful
Stoddard Manikin:
at doing that within the organization than I have with
Stoddard Manikin:
vendor partners. So you know, talk about them distinctly.
Stoddard Manikin:
Internally, there is some responsibility with the security
Stoddard Manikin:
executive via the CISO, or anyone else to build that kind
Stoddard Manikin:
of framework. And by that I mean, if a CISO operates
Stoddard Manikin:
independently and in the dark, and throws around a lot of
Stoddard Manikin:
technical terms and doesn't do a good job of explaining why then
Stoddard Manikin:
they're not going to kind of build that shared accountability
Stoddard Manikin:
concept with the other key leaders of the organization.
Stoddard Manikin:
Right? What's very important from my experience is to explain
Stoddard Manikin:
the why behind things, to do shared decision making about
Stoddard Manikin:
which areas need prioritization based on risk, which ones you're
Stoddard Manikin:
going to jointly agree to not do anything about, or maybe do a
Stoddard Manikin:
slower rollout, for different reasons, be it financial,
Stoddard Manikin:
operational, and so forth. And even get some guidance from key
Stoddard Manikin:
board members so that they understand the risks that you're
Stoddard Manikin:
accepting the risks that you're not willing to accept, and, and
Stoddard Manikin:
how much to invest. Because there is eventually a declining
Stoddard Manikin:
ROI on those things, right? You can never eliminate risk unless
Stoddard Manikin:
you just stopped doing business and turn off all your computers,
Stoddard Manikin:
that's probably not going to happen for most industries. So
Stoddard Manikin:
that's where I think that shared accountability it comes from it
Stoddard Manikin:
comes from shared decision making, shared prioritization,
Stoddard Manikin:
shared understanding of what we're willing to accept or not,
Stoddard Manikin:
what threshold of risk can we live with? And what do we want
Stoddard Manikin:
to remediate otherwise, that's internal. When it comes to your
Stoddard Manikin:
vendor partner, network, that is way more complicated. Same thing
Stoddard Manikin:
we talked about earlier, where healthcare has this disparity of
Stoddard Manikin:
capability and resources. vendor partners have the same thing,
Stoddard Manikin:
right, you've got the really large ones that are well
Stoddard Manikin:
resourced, and they'll, they'll hand you their procedure sheet
Stoddard Manikin:
and their third party audit reports of what they do for
Stoddard Manikin:
security. Then all the way at the other end of the spectrum,
Stoddard Manikin:
you've got what I consider to be small business websites that
Stoddard Manikin:
might run a specialized program for real estate or some other
Stoddard Manikin:
niche purpose. Where, you know, they say we were in a pen test
Stoddard Manikin:
once last year. But that's it. And meanwhile, you've got an
Stoddard Manikin:
area of your organization that's screaming, saying we have to use
Stoddard Manikin:
this as the only one that'll meet our requirements. And
Stoddard Manikin:
you're trying to tell them, Okay, but they're going to have
Stoddard Manikin:
the ability to log into our network. And third party
Stoddard Manikin:
breaches is one of the most common tactics to break into an
Stoddard Manikin:
organizatio now. If you look at some high profile breaches,
Stoddard Manikin:
you'll find that they came in through for example, an air
Stoddard Manikin:
conditioning contractor who responded to a phishing attempt,
Stoddard Manikin:
use their credentials to login and then they escalated from
Stoddard Manikin:
there. Well, I don't really want to bet my organization's
Stoddard Manikin:
security posture on the security capabilities of a 1000 or more
Stoddard Manikin:
independent, contracted vendor partners who may or may not have
Stoddard Manikin:
reasonable security practices. So it's up to me to make sure
Stoddard Manikin:
I'm working with everybody to get the right controls in place
Stoddard Manikin:
and give the minimum necessary access to these organizations,
Stoddard Manikin:
and make sure that people are aware of the risk before they
Stoddard Manikin:
engage in business with these types of companies.
Dr. Dave Chatterjee:
Fabulous, very, very insightful. Started.
Dr. Dave Chatterjee:
Thank you so much for your time today. Before we conclude any
Dr. Dave Chatterjee:
final thoughts for the audience?
Stoddard Manikin:
I would say that my journey has been very,
Stoddard Manikin:
very interesting in the cybersecurity industry, in
Stoddard Manikin:
particular for healthcare, it is a complex one, but also
Stoddard Manikin:
rewarding. It's one of those few industries in my opinion, where
Stoddard Manikin:
you can truly find purpose and meaning in the long hours and
Stoddard Manikin:
the resistance that you have to push through. And I am very
Stoddard Manikin:
grateful to be in the position I'm in where I can help protect
Stoddard Manikin:
patients and enable our caregivers to take care of kids.
Dr. Dave Chatterjee:
Well, thank you again, Stoller, for all that
Dr. Dave Chatterjee:
you do, appreciate your time on the podcast, and hopefully,
Dr. Dave Chatterjee:
we'll talk to you again in the future.
Stoddard Manikin:
My pleasure, thank you.
Dr. Dave Chatterjee:
A special thanks to Stoddard Manikin for
Dr. Dave Chatterjee:
his time and insights. If you like what you heard, please
Dr. Dave Chatterjee:
leave the podcast a rating and share it with your network. Also
Dr. Dave Chatterjee:
subscribe to the show, so you don't miss any new episodes.
Dr. Dave Chatterjee:
Thank you for listening, and I'll see you in the next
Dr. Dave Chatterjee:
episode.
Introducer:
The information contained in this podcast is for
Introducer:
general guidance only. The discussions assume no
Introducer:
responsibility or liability for any errors or omissions in the
Introducer:
content of this podcast. The information contained in this
Introducer:
podcast is provided on an as is basis with no guarantee of
Introducer:
completeness, accuracy, usefulness, or timeliness. The
Introducer:
opinions and recommendations expressed in this podcast are
Introducer:
those of the discussants and not of any organization.
Listen On
