Security is always going to be an issue in a merger or acquisition because you’re consolidating two completely different environments with different security cultures. When is cybersecurity brought into the discussion when a merger is underway? An analysis of the security program of the acquired company can help with negotiations, revealing issues, and costs that would otherwise be overlooked. If we know it’s so important, why does it always feel like we’re reinventing the wheel each time?
This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Adam Zoller, svp, CISO at Providence. Joining us is our guest Sam Jacques, vp of clinical engineering, McLaren Health Care.
This episode was recorded in front of a live audience in Miami as part of the Nexus ‘23 conference being held by Claroty.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Claroty
Full Transcript
Intro
0:00.000
[Voiceover] Best advice I ever got in security. Go!
[Sam Jacques] Security doesn’t just happen. It’s a result of public investment and collective consensus. I think we talk a lot about investment, but we don’t talk a lot about public consensus. We really need to have a conversation about what minimum expectations are for everybody – your grandmother, your son – on what cyber security education needs to be.
[Voiceover] You’re listening to CISO Series Podcast, recorded in front of a live audience in Miami.
[Applause]
[David Spark] Welcome, everybody, to the CISO Series Podcast. My name is David Spark. I am the producer of the CISO Series. And sitting to my immediate left, he is the CISO over at Providence. A big warm round of applause for my guest cohost, Adam Zoller.
Let’s hear it for him.
[Applause]
[David Spark] Our sponsor for today’s episode is Claroty, secure your cyber physical systems. Claroty, that is where we are. We are at the Nexus 2023 event in Miami, Florida. It’s been a pretty exciting event so far. Yes, Adam?
[Adam Zoller] Sure has.
[David Spark] All right. Now, one of the things that we just want to make a note of, the context and the issue we’re in right now. We are recording this on October 11th, 2023 in Miami. Unfortunately Israel is at war right now. Claroty is an Israeli company.
[David Spark] Quick correction: Claroty is headquartered in New York City and has a global presence which includes a research and development center in Israel. A number of their employees should be here right now, and unfortunately they are not. And also that a number of their employees have also been called up from the reserves to participate, to fight in this war as well.
So, this will air on November 7th. We do not know what the situation will be then. But essentially our prayers and our thoughts are obviously with them. We are very concerned about everybody who’s involved right now. Have you had conversations with people right now, Adam?
[Adam Zoller] Yeah, absolutely. I’m in constant contact with some friends over there in Israel, and I just want to say that we stand with our brothers and sisters against these terrorist attacks against their country.
[David Spark] Yeah, my mother in law is actually Israeli, and that entire family is in Haifa and in Tel Aviv right now, so we actually have great concern for them as well. We have a show to put on for you right now, and that is exactly what we are going to do.
All right. With that being said, I do want to introduce our guest. You heard her just at the very beginning of the show. She is the VP of clinical engineering over at McClaren Health. Big warm round of applause for Sam Jacques.
[Applause]
[Sam Jacques] Thanks so much.
What’s the best way to handle this?
2:57.527
[David Spark] So, why does securing medical devices seem like an intractable problem? It seems like we hear about ransomware attacks against healthcare organizations on an almost daily basis. That’s because healthcare has a lot of open holes. Now, 14% of all medical devices have unsupported OS.
23% of medical devices have known exploited vulnerabilities or KEVs, and 24% of surgical devices have active internal connections. Now, all this research is thanks to the First Claroty Team82 healthcare CPS annual security report, which will be available soon.
And these vulnerabilities seem massive. Adam, I’m going to throw it to you first on this one. Is this a systematic problem where patching becomes essentially too difficult if not possible? And if so, what are other ways we can protect our medical devices if we can’t patch them like we do other software?
[Adam Zoller] Yeah, I think patching is just one facet of how we solve the problem. I think the reason this problem is such a big problem is because these devices are running commercial operating systems and commercial software. And yet they’re connecting to patients and providing care to patients in ways that often times connect directly to a human and could if they become impacted by an attack cause real harm to people in a very real way.
I think from a patching standpoint though, these devices, again, they’re running commercial software. We need to start treating these devices as every other computer system on our network that’s running commercial software.
If we can patch it, we should patch it. Discovery of the devices, management of the asset inventory, patching when feasible, upgrading the operating system when feasible are very important points. But also we need to recognize that we aren’t going to be able to patch some of these devices because of the types of care that they provide and the amount of utilization that they see on a day by day basis.
So, in some cases, discovery of the device and an automated access control list or automated virtual isolation of the device needs to be part of that strategy to keep the device secure. The companies that produce these devices made a choice to develop on commercial operating systems because it’s cheaper, and it’s simpler for them to develop on commercial operating systems.
We need to start securing these devices as we secure every other commercial operating system device that we run in our ecosystem.
[David Spark] Sam, we were talking earlier, and you were explaining what seems like a catch 22 situation with these devices that are critical, extraordinarily expensive, and are running on unbelievably antiquated operating systems.
[Sam Jacques] What a lot of people don’t understand about medical devices is the time it takes to actually design them and then get them approved via the FDA is a ridiculously long amount of time. So, by the time it actually hits us for commercialization, that operating system may have been end of lifted years ago.
And so we fundamentally use items that can’t be secured on a day to day basis. And I’m not sure everybody understands that it’s a fundamental problem. Unless we change the way we design devices, unless we change the way we approve them through the FDA process, we are going to have to deal with this issue.
And I agree with Adam.
The piece around understanding that patching is not a panacea, it is one tool in our toolbox to go ahead and secure the environment that we’re in. We definitely need to patch. If you have a patch available. We also need to push our manufacturers to take a shorter amount of time to create the patch.
Those of you that are tuning in from non-healthcare entities, a patch in healthcare generally takes nine months to a year from vulnerability to us actually getting it in our hands. That is a long time for us to be vulnerable to something, especially when there’s attackers out there now really, really looking at zero day vulnerabilities and hitting us on day five.
I can’t wait a year to patch something. I have to find another way.
How have you actually pulled this off?
7:01.759
[David Spark] So, when a merger or an acquisition is underway, when is cyber security brought into the discussion? Now, an analysis of the security program of the acquired company actually can help with negotiations, revealing issues and costs that would otherwise be overlooked.
And security is always going to be an issue in a merger acquisition because you’re consolidating two completely different environments with different security cultures. An organization with physical devices that are part of the organization’s equity complicates this transaction even more.
So, I’m actually going to start with you, Sam, because you were essentially talking about this in just our last segment. So, what is the biggest cyber security challenge in a merger acquisition? Again, let’s just keep this focused on when you’re dealing with two companies that have physical devices that have enormous value, that are actually part of the critical value of the acquisition.
Can you admit to some mistakes you’ve made along the way, and where is the best place to start?
[Sam Jacques] Yeah, so I’m going to tell you, if your due diligence process does not include cyber, you might as well add five or six million dollars to your purchase price. Because you are going to end up acquiring something that has some kind of vulnerability you’re going to have to end up remediating.
So, fundamentally if your due diligence process does not do a physical scan, you don’t get an appliance on their network, you don’t get actual data out of it, you might as well be buying a black box. And so from a best practice perspective, I will tell you 99% of due diligence has nothing to do with cyber.
They won’t call you until they’ve bought it, and now they want to integrate it to the network. That absolutely has to change from a culture perspective. Cyber needs to be up front. It needs to be part of due diligence. Or you need to just start adding zeroes to the cost.
[Adam Zoller] Yeah, David and Sam, I think you hit the points. This is a cultural problem, a people problem that we’re trying to solve. It’s a technical problem that we’re trying to solve. I think involving cyber security up front is absolutely critical.
And use the cyber security team and the telemetry that you can gain through cyber security assessments as a tool in your mergers and acquisitions toolbox because you can actually negotiate for more favorable terms by bringing up the security issues, the vulnerabilities, the types of attacks that maybe…
[David Spark] Can you give me some examples of what exactly to negotiate? I just said money, but I guess it’s just money, or what else can you negotiate?
[Adam Zoller] Yeah, certainly. If you send a team in to meet with the IT team of the organization that you’re acquiring, for example, and you see that they have a tremendous amount of technical debt in their network infrastructure, network infrastructure is an incredibly… I’m preaching to the choir here in this live audience.
A very expensive set of equipment. Sometimes tens of millions or hundreds of millions of dollars to upgrade this equipment, depending on the size of the organization you’re looking at acquiring. If you know that you’re going to have to spend 25 million dollars post acquisition to update the network infrastructure and get it to a workable state for the organization that you’re buying, negotiate that as a part of the term of the deal that you’re doing so that you get 25 million dollar discount on the deal and that you can pay for that network infrastructure upgrade post acquisition.
[David Spark] And both of you have dealt with mergers and acquisitions before?
[Adam Zoller] Yes.
[David Spark] All right. Let’s go to I want to know what mistake have you made. Sam?
[Sam Jacques] So, ultimately it’s exactly what I said. You buy something, and you don’t know what you got. You need to go ahead then and figure out a way to make it work after you’ve acquired it.
[David Spark] By the way, I got to assume that always happens even if you do your best due diligence.
[Sam Jacques] No, and it’s true. You’re always going to find the ugly baby under the sheet. But fundamentally what I’m going to tell you is that a merger and an acquisition is not just a technical type of event. It’s also a cultural kind of event. And so if you can start peeling the onion layers back and having conversations about, “What does my network look like?” On my side, it’s, “What does the equipment look like?
Do I have 25-year-old CTs? Do I have all of this other multimillion dollar infrastructure that we’re going to have to dump money into after we’ve purchased whatever this asset is?” You really need to start having some conversations about what is the value of that acquisition?
Am I really getting nothing but the patients? Because I got to dump millions of dollars into the actual location to get it to where it needs to be.
[Adam Zoller] Yeah, I think I’ve seen mistakes that have happened at all levels in mergers and acquisitions. If we’re talking personal mistakes…
[David Spark] Cough it up. What is it?
[Adam Zoller] Look, I’ll say the best mergers and acquisitions are the mergers or acquisitions that take cyber security into account and get the ecosystems into a workable state where you’re inheriting a tremendous amount of cyber risk into your organization post acquisition.
I’ve seen too many acquisitions that have taken place where the networks are plugged into each other, if you will, figuratively. And the clean up process hasn’t been completed. And then lo and behold, you have an outbreak of malware in your environment that you have to clean up, or there’s a compromise that had been going on for months post announcement of the merger or acquisition that you have to go in and root out.
And God forbid that compromise impacted intellectual property for the organization that you’re buying because that fundamentally changes the calculus of what that company is worth to you.
[David Spark] Sam, just quick, close this out. You want to start. What is the best way to engage with the acquired company? Like, “All right, I’m sitting down with my counterpart at the other company.” What would be the great first step to start with?
[Sam Jacques] The first thing that you’ve got to ask is, “What keeps you up at night? Tell me what you’re super worried about within your organization. Because that worry is going to become my worry.” And so if I don’t understand what they’re worried about, again, I’m accepting risk I know nothing about.
Sponsor – Claroty
12:38.828
[David Spark] Well, no surprise to the people in the room, but our sponsor is actually Claroty. Yes. Now, for those of you listening to the podcast… Yeah, give it up for Claroty.
[Applause]
[David Spark] I want to clue our listening audience in on Claroty because it’s pretty impressive what they do. Claroty enables industrial, healthcare, commercial, and public sector entities to safeguard their cyber physical systems within their environment, often referred to as the extended internet of things or XIOT.
Through a comprehensive platform seamlessly integrated into existing infrastructure, Claroty offers a suite of controls encompassing visibility, risk, assessment, vulnerability management, network security, threat detection, and secure remote access.
The company envisions a future where cyber and physical worlds safely connect to sustain our lives. So, with support from leading investment firms and industrial automation providers worldwide, Claroty’s solutions are implemented by hundreds of organizations across a multitude of global sites.
The company is headquartered in New York City and maintains a global presence spanning Europe, Asia Pacific, and Latin America. For more information, you got to go to their website, and that is claroty.com. Go there.
It’s time to play, “What’s worse?”
17:13.566
[David Spark] All right. Now, for those of you who know this game, “what’s worse,” what it is is it’s a risk management exercise. I offer two horrible situations that our audience sends in, and my guests right here will tell me which of the two awful situations is worse.
This first one is… And by the way, I make Adam answer first since you are the guest cohost.
[Adam Zoller] Can I defer to Sam?
[David Spark] No.
[Adam Zoller] Oh. Can I ask ChatGPT?
[David Spark] No. No, no, no, no. Although it’s interesting, one of our audience members did ask ChatGPT for a series of “what’s worse” scenarios, and I have a lot of those to go through that ChatGPT generated. So, I have to give our listener and ChatGPT credit on that one.
But this one was written completely freehand by one of our listeners. This is Brennen Crowe. This is really an ethics question here because both of these are dubious when it comes to ethics. Okay. You’re reviewing application architectures for approval on implantations that reduce costs and increase profits that must go in a fast approaching date, or else your competitive advantage is lost.
Okay, here are your two scenarios. Number one, one application team presents documentation where there are multiple policy and regulatory violations. They need approval for risk exceptions, but there is no remediation plans on exposed vulnerabilities.
That’s your first scenario. You have another application team with errors in the documentation, but almost everything looks okay within policy and regulatory compliance. But when you ask them to clarify and correct these errors, they ask you, “What do we need to put to just get this past?” So you have no idea if there’s truth in the integrity of the documents, are they lying to get this through, who knows.
What’s worse, Adam?
[Adam Zoller] This sounds like our everyday decision making process in healthcare honestly.
[Laughter]
[Adam Zoller] I think option A is worse because you’re knowingly going into a dubious situation, putting you on the wrong side of regulators. I can tell you from personal… Well, not from personal experience being shut down, but I know that the regulators can shut you down, and they will shut you down if you go on the wrong side.
[David Spark] But the other one with the errors in the documentations, that’s not as bad?
[Adam Zoller] I think you can correct errors. You can work with the team to get the documentation updated.
[David Spark] Wait, whoa. Let me slow you down right there. The whole thing with “what’s worse” is you can’t change the situation.
[Adam Zoller] Oh.
[David Spark] So, the errors stay errors in the documentation. Of course if we changed one to be good then it wouldn’t be a “what’s worse” situation. [Laughs]
[Adam Zoller] If I had to stop myself or had a time for every time there was an error in a document…
[David Spark] It’s multiple errors. I just want to point out.
[Adam Zoller] Yeah, I’d be a rich man. Yeah, I think I’m going to go with the worse option is the first option, where you’re knowingly violating the regulations.
[David Spark] Multiple policy and regulatory… Which, by the way, the audit committee could find, and you wouldn’t necessarily be ethically dubious in that case.
[Adam Zoller] You’re ethically wrong.
[David Spark] All right.
[Adam Zoller] [Laughs]
[David Spark] But you’re like, “Well, they’re wrong.” You found them, that kind of a thing. This other situation you may be hiding something. That’s the thing. The second one, you may be hiding something.
[Adam Zoller] I didn’t create the documentation, did I?
[David Spark] Well, your team did, don’t they?
[Adam Zoller] Oh, my team created the documentation, and it has errors.
[David Spark] Your application team.
[Adam Zoller] And I can’t fix those errors?
[David Spark] No, they’re just there. Is this changing your tune here?
[Adam Zoller] No, no, no. I still think the first one is wrong. Look, an error is an error, and from an intent standpoint I think my team is doing the right thing. So, they made an error. We can discover the error. And hopefully in the future maybe fix it.
But for this scenario, I say option A is worse.
[David Spark] All right. Sam, agree or disagree here?
[Sam Jacques] No, I agree 100%. Fundamentally the last thing we want to do is get shut down. And so if there’s a regulatory violation, that’s immediate shut down.
[David Spark] All right, I’m going to throw this to the audience. Audience, I want to know by applause… Remember, scenario one is you have multiple policy and regulatory violations, and scenario two is those are fine, but you got a ton of errors in the documentation, and they kind of want to cover up those errors.
By applause, how many think scenario number one is worse. They think it’s worse. By applause.
[Applause]
[David Spark] Good amount. It seems like most of the audience here. All right. How many people think scenario two is worse by applause?
[Applause]
[David Spark] Brave souls. I appreciate that. All right.
[Adam Zoller] Why does the healthcare table think option two is worse?
[Laughter]
[David Spark] All right, so a lot of people are on your side on that one. Okay, here goes. Next scenario. This comes from a listener who gives us lots of great “what’s worse” scenarios. And this one is a quicker scenario setup. Here we go. It comes from Dustin Sachs of World Kinect Corporation.
Again, Adam, you’re first. Which one is worse, your anti software is disabled, or your firewall is turned off?
[Adam Zoller] Oh, the antimalware software?
[David Spark] Yeah, that’s completely disabled, or you turn off your firewall.
[Adam Zoller] Oh, man. And I can’t turn them back on?
[David Spark] No, no. Again…
[Adam Zoller] Oh.
[David Spark] Again, it wouldn’t be much of a game if we could do that.
[Adam Zoller] I have a lot of confidence in our EDR software, so I’m going to say the worse option is that our EDR software is disabled.
[David Spark] No. Well, the firewall.
[Adam Zoller] I’m going to say if the firewall is disabled then I still have EDR, and I feel comfortable.
[David Spark] Okay. EDR… So, the antivirus software being disabled is the worse scenario? I’m talking antivirus, not EDR. I don’t know how you brought EDR into this.
[Adam Zoller] So, wait. Hold on. So, we’re on basic, old school antivirus.
[David Spark] Antivirus software is disabled, or if… I don’t know how you got EDR into this.
[Adam Zoller] Because we use EDR. We don’t use just regular, old school antivirus anymore.
[David Spark] Well, you obviously have a problem with active listening.
[Laughter]
[Adam Zoller] You know what? I’m going to stick with my decision because…
[Laughter]
[Adam Zoller] I’m going all in.
[David Spark] All right. All right. So, antivirus software is the worse scenario?
[Adam Zoller] If my antivirus software is off, that is a worse scenario.
[David Spark] Okay. Sam, agree or disagree here?
[Sam Jacques] No, I disagree 100%. So, all of my assets are assets that can’t run EDR. So, I don’t have any endpoint detection on any medical devices whatsoever because they won’t let you get on. So, fundamentally if antivirus goes down, I am hosed. I would much rather have my firewall go down and deal with firewall going down than I would having to deal with my antivirus going down.
[David Spark] All right, we have a split decision here. Now I want to know from the audience here.
[Adam Zoller] So, we’re talking… Hold on, let’s clarify.
[Laughter]
[David Spark] Yeah.
[Adam Zoller] So, we’re talking…
[David Spark] By the way, this one was way simpler than the first one. Here’s the thing, when I was looking at this, I’m like, “Oh, wait. This first scenario is going to be confusing. They may have a hard time with it. The second one is simple, antivirus versus firewall.” And this is the one you had a problem with.
[Adam Zoller] Well, are we talking business systems and biomedical devices, or are we talking just…?
[David Spark] All antivirus is down.
[Adam Zoller] All antivirus is down.
[David Spark] It’s completely down.
[Adam Zoller] I stick with my decision.
[David Spark] So, antivirus is worse still?
[Adam Zoller] I want to have antivirus because I need the ability to detect and respond on the endpoints that end users are clicking on links on.
[David Spark] All right. So, hold on wait. So, what are you saying? The firewall being turned…
[Laughter]
[David Spark] I’m still confused here. Which one is worse?
[Adam Zoller] Having the antivirus off is worse.
[David Spark] And you said the same thing.
[Adam Zoller] Which is the opposite.
[Sam Jacques] No. Which is the opposite. I say we can take my firewall down.
[David Spark] Take my firewall down. Okay. All right.
[Sam Jacques] If the antivirus goes down then I’m in trouble.
[David Spark] All right. So, this was what you answered at the beginning. All right. I’ve got active listening problems. All right. By applause, how many people think it’s worse that your antivirus is hosed? By applause.
[Applause]
[David Spark] I’m going to say about a third on that one. Okay. By applause, how many people think the firewall going down is worse?
[Applause]
[David Spark] All right. All right. Adam, the audience likes your response a lot better than Sam here. But, Sam, I’m with you on that.
[Sam Jacques] I’m prettier, so that’s why I won. I promise.
Surprising research just in.
22:08.528
[David Spark] All right. Does generative AI shift the balance of power to threat actors? So, Aaron Mulgrew at Forcepoint wanted to see if he could build a zero day using only ChatGPT prompts, and he did. So, ChatGPT, if you just directly say, “Hey, write me a piece of malware, zero day malware,” it’s not going to do that for you.
So, Mulgrew, he got around this limitation. You can actually issue a series of prompts, divide up the problem in segments, if you will. And it allowed him to stitch together a zero day exploit. And he ended up creating a malware that was not picked up by VirusTotal.
Now, this sounds like more zero days will be produced. I will start with you, Sam, on this. Is this something that actually concerns you? If so, what needs to change if anything for us to combat this build your own AI generated zero day virus?
[Sam Jacques] Yeah, obviously it concerns me. Fundamentally the volume of issues that we have incoming as cyber security professionals just keeps going up exponentially. So, obviously it’s concerning. My issue is especially in the healthcare sector, we don’t necessarily have the resources to combat this type of work.
And so I really highly recommend organizations lean very heavily into incident response, have a very good incident response plan and then tabletop your incident response plan so that when this happens, because it’s going to happen, you can actually recover and respond to events like this.
And so if we get really good at response then it’s not going to become an issue fundamentally.
[David Spark] Do you feel that you actually build for this already? But I think more the concern and what I’m hearing is it’s just going to be more of that. Like here’s the big joke we make every year when they have those reports at the end of the year like, “What to look for in cyber security in 2024.” And usually the answer is, “You remember last year?
Just a lot more of that.” So, is that what we’re going to have?
[Sam Jacques] No. And that’s exactly what’s going to happen. Fundamentally the resources…the number of people we have working doesn’t change. We’re not getting more people. We’re not getting more money. We have to become smarter in how we handle stuff.
So, in our world, that’s risk ranking. That’s prioritization, however you want to go ahead and deal with all of the ambiguous stuff that’s on your plate. Fundamentally all of us, regardless of what industry we’re in, we’re going to get hacked at some point.
if you can’t figure out a way to respond to that in an affective manner, your business is toast. And so you really need to have an appropriate incident response plan, and you need to be practicing that plan so that the first time you use it is not when you’re down.
That’s a really bad position to be in.
[Adam Zoller] Yeah, I think we’re in the early days of generative AI certainly. And this may be one of the first cases of an individual developing malware with generative AI tools, but it’s not going to be the last. And I think it’s incumbent on us as defenders to use the benefits of these technologies to defend out networks, to upscale our staff, to supplement our staff with skills they may not have so they can defend the network affectively and at the scale and at the velocity that’s needed to defend against the types of things we’re going to see in the future, which I think is malware being developed by generative AI.
I think it’s just a matter of time until we have AI operated ransomware. So, we need to be prepared. I think the industry needs to be prepared, and the software vendors, the third parties that we rely on in the healthcare industry to provide critical services to patients.
Those software vendors, those application vendors need to be prepared and be using these technologies to detect vulnerabilities in their products and fix them before they become issues for us downstream.
[David Spark] This was done by somebody who works at Forcepoint, probably an analyst, a researcher. I see this… Because you think about when people showing kits to make guns that actually this knowledge is valuable because then we understand how this process is happening.
ChatGPT, the open AI group, was actually trying to initially put in some limitations to how they could use the tool. Now that researchers are discovering this, maybe they can sort of segment their limitations to hopefully this problem won’t happen, you won’t be able to do it.
[Adam Zoller] Yeah, certainly. I think like Metasploit before it, this lowers the barrier to entry to conduct sophisticated attacks across networks. I think the most sophisticated attacks that we’ve seen in the hospital arena have been conducted using commercially available toolsets.
I think, again, LLM technology, ChatGPT, it’s a commercially available toolset. It’s lowering the barrier to entry for attackers to enter the market. I think we just need to be prepared and operate at the same speed, the same velocity as they are.
[Sam Jacques] No, I completely agree. I think the points that you bring up, especially around utilizing the tools for our teams in a way that’ll help upscale their ability and really leverage the tool that’s out there from a commercial application is really one way that we can turn the tables and try and match their velocity.
Unexpected outcomes or failures.
[David Spark] Do too many vendors spoil the cyber security soup? Now, that’s a question raised in Kroll’s 2023 State of Cyber Defense report. It found across all industries that organizations use an average of eight cyber security platforms to monitor cyber security alerts.
Personally I’ve seen reports showing much higher numbers, by the way. The report also found a correlation between the higher number of platforms used and an increased number of cyber security incidents experienced by an organization. Now correlation is not causation here, but I’ll start with you, Adam, could this be a cause of too many tools making it hard to find the signal from the noise?
[Adam Zoller] I think it depends on what those tools are aligned to and what problems you’re trying to solve. I think if you have multiple tools that are trying to solve the same problem, you’re going to have several signals around the same use cases, and your teams are going to get confused.
Complexity is the enemy of efficiency in this case. But I also see that there’s organizations out there, vendors out there that are trying the converged model of cyber security toolsets, offering a menu of services or a menu of tools that solve all of your problems.
But in those cases, I’ve also seen that those vendors charge you an arm and a leg, and it actually doesn’t really simplify your life because those tools may not have all the features that a best in breed point solution would have to solve some of the use cases that you’re trying to solve on the defensive side.
So, I would say it really depends. Having a coherent centralized technology strategy is your best friend in this case.
[Sam Jacques] And I would add that fundamentally you should not be using technology to solve a process problem. We do that all too often in healthcare. We find the next big shiny thing, and we drop it in and assume it’s going to miraculously work for us.
My favorite word is automagically. It’s automagically going to save us from ourselves. Fundamentally good processes and procedures, teams that are well trained, teams that understand what they’re looking at when they’re looking at these alerts and what to do when they get an alert is actually much more important to me than the actual technology.
The technology…as long as it gives me what I need from a tool perspective… I don’t need eight of them. I need some well developed processes with some well trained staff, and we can go tons farther than just be inundated with alerts that I can do nothing about.
[David Spark] All right, that brings up a really important point that I have heard on many sort of CISO discussions. It goes back to the classic best of breed or platform choice, which classically the way it has been argued is, “Well, if you go best of breed, you are having the best solution.
But you have the integration issue.” And, again, the platforms say, “Well, if you buy the platform, you don’t have the integration issue.” Which, by the way, many people would argue that as well. But the new story that I hear is a bunch of CISOs, they don’t even look at point solutions for… It may be aligned with what you just said, is because I can’t train my staff on ten different products.
I got to get them on just one thing and get them on one thing cohesively as well. What do you think of that, sort of that’s why I got to look at platform only?
[Sam Jacques] It really depends on what the risk appetite for the organization is. There are some organizations that are so ridiculously risk adverse, they’re going to make one choice. Because of their risk tolerance. There are other organizations that are just trying to survive, and so they will accept all kinds of risk to try and go ahead and make it in the world.
And so fundamentally, I think that conversation is less about training your teams and more about you need to understand the risk appetite and where you fall on that scale.
[David Spark] I also think it has to do with teams that have an engineering staff or not. Because if you don’t have one, I don’t think you’re going to have much success with point solutions, are you?
[Sam Jacques] It depends. You can outsource a lot. Cyber security at this point has a lot of managed services. I can outsource just about anything that I want to outsource. But then I have the integration problem again. Am I integrating vendor A with vendor B?
And is it talking to the solution that I have on prem? And my two people who know how to run it. All right, fundamentally as a CISO you need to understand what your organization and your architecture looks like so that you understand what risk you’re trying to mitigate.
If you don’t know what you’re trying to mitigate, all you’re going to be doing is attacking this giant elephant, and you’re never going to actually make any progress in mitigation.
[David Spark] All right, Adam. Jump in on this. Where do you stand on the whole idea of the point solutions versus the platform play? And do you agree with this argument of, “Well, I can only look at platforms because that’s how I have to train my staff.”
[Adam Zoller] I think there’s a lot of value to platforms. Like you said, organizations that may not have the engineering talent or they have small teams, and they don’t want to spread themselves too thin across multiple different toolsets, the single approach of a platform makes sense for those organizations.
But in my experience, what I’ve found is the platform approach, you get a broad swath of features, but you have to supplement those features with point in time solutions and add other vendors to the tech stack to satisfy use cases that the platform may not have.
So, specifically we were using the platform approach for email protection at Providence, and we’re now moving back to a point in time best in breed solution because the platform approach was missing features, basic features, for email protection like DMARC for anti spoofing.
It’s time for the audience question speed round.
32:36.424
[David Spark] I have in my hand here a series of cards that have questions from you, the audience, that I collected earlier. There’s a lot of good questions here, and we got a good amount of time before we wrap up this show. So, I’m going to ask you… I want to get your thoughts on this.
Here is the first one. It comes from Eric Meyer of Equinix. “Per the SEC ruling, how do you define materiality?” So, you know their whole theory is you have to reveal if it’s a materially significant exposure. How are you defining that, Adam?
[Adam Zoller] Yeah, I consult with my friends in legal, and I ask what their opinion is on materiality. That’s what I do. [Laughs]
[David Spark] So, you never make the decision.
[Adam Zoller] So, admittedly I’ve been at an arm’s length from this. The reason is because we’re a not for profit healthcare system. We’re not a publicly traded company. And so my exposure to this issue is not as severe, I would say, as some of my friends in the publicly traded space.
[David Spark] So, you don’t have a definition for it, so you’re dodging the question.
[Adam Zoller] I would say, yeah, I’m dodging the question a little bit.
[David Spark] All right, don’t…
[Adam Zoller] But in the event that I have to answer that question, I’m going to sit down with legal. I’m going to sit down with risk, and I’m going to talk from a business risk standpoint how do we define from a risk standpoint materiality. We’re going to document it and be very specific about it so that if the SEC comes in and audits us to what we’re reporting to the SEC, we have the documentation and the business risk decisions that align to that documentation to prove that we’re doing what we need to be doing.
[David Spark] Could you have that conversation with legal before November 7th when this episode airs so I can get an answer from you?
[Adam Zoller] We’re also not a publicly traded company.
[David Spark] Oh, it doesn’t matter. Okay.
[Adam Zoller] They’d look at me like I’m crazy.
[David Spark] All right. Sam, can you define materiality?
[Sam Jacques] Yeah, so I’m going to ding, ding, ding on his answer.
[David Spark] Ugh. [Laughs]
[Sam Jacques] As a non publicly traded company, we’ve opted out of this. And I will say the government as a whole has really tried to start setting cyber security standards across industry, so I don’t think we’re going to get out of this for long. But I agree.
My friends in legal become your best friend.
[David Spark] All right, this one comes from Vickie Urias of Rinchem Company. “When you’re always trying to catch up and you feel you’re falling behind, how do you actually stay ahead?” Either one of you jump in on this one. We all feel this.
[Adam Zoller] It’s a very open ended question.
[David Spark] No. But what’s one way…? We always feel like we’re never doing enough. There’s always more things to patch, more vulnerabilities to deal with. And the idea is but at the same time you’re CISO, your job is to look forward, look ahead, plan ahead.
How do you do that?
[Adam Zoller] Jokes aside, everything that we do needs to be aligned to a risk equation. I think Sam said it earlier. Look, every dollar that I spend on cyber security is a dollar that I take away from a hospital’s ability to deliver patient care. So, I need to be sure that everything that I’m doing is making best use out of those limited resources.
Otherwise, I’m taking away from the ability to provide care to the poor and the vulnerable, which is our core mission. So, what we do… We have a strategy, a cyber strategy. It’s very clear on where we play, where we don’t play, what problems we’re trying to solve, and how we align to the mission for Providence to provide care to people.
If we’re doing things that don’t align directly to furtherance of that strategy or advancement of our cyber maturity according to the NIST cyber security framework then we cut it. And we choose to say no on specific things because they don’t align to strategy.
I think being very transparent and very purposeful about those decisions is going to save you a lot of time and help with that prioritization problem.
[David Spark] How do you stay ahead?
[Sam Jacques] Yeah, I agree. Prioritization is key. And fundamentally having robust conversations about that prioritization. Because in the CISO role, we have one view into the organization. Really working with your teams that are at the frontline, really talking to frontline physicians, frontline clinicians about what they worry about really puts a different perspective on what we do.
And so fundamentally getting rounded in what is really important versus what we think is really important is really an astonishing way to reset exactly how you set priorities and how you figure out what you’re doing every day to do what’s best.
[David Spark] Good. All right. This comes from Jesse Whaley, who’s the CISO over at Amtrak. He actually has a “what’s worse” scenario. “You have to cut the budget from one of the following – EKG, MRI, PCR pump, or surgery robot. Which one are you dropping?”
[Sam Jacques] Oh, the surgery robot.
[Laughter]
[Sam Jacques] The surgery robot, no problem.
[David Spark] You’re dropping the surgery…? That’s invasive surgery.
[Adam Zoller] What are you doing? What are you doing?
[David Spark] That’s the one you’re dropping?
[Sam Jacques] Yes. You are absolutely dropping the surgery robot. Utilization of robots, for those of us that work in hospitals, is ridiculously low. You have one surgeon that uses the robot Tuesday from eight to noon. That’s it. Then I have a different robot that the surgeon from Thursday from noon to four uses.
In healthcare, I hate to tell you, one of the things we don’t do a really great job in is utilization. I’ll talk about Claroty’s tool that helps us get some visibility into that utilization. We need to have a much more different way of looking at how we utilize the tools that we have.
We have much too much that is under utilized.
[David Spark] Do you agree or disagree with that? Which one are you dropping from the budget?
[Adam Zoller] Yeah, I agree. What I would just add to that is I’m going to consult with our physical group leadership and say, “Look, we’re presented with this tough situation.” I assume this is coming from a security angle, so that’s why I’m involved.
I would say, “Look, we have to make a choice here. We have to cut one of these things. What do you think as the physicians?” And the physicians are going to give me feedback. I suspect it’s going to be the robot. I’m with Sam on this.
[David Spark] All right. Although that person that uses it for the three to four hours, they will be arguing…
[Sam Jacques] Oh, yes. Yes.
[David Spark] “No, cut EKG.”
[Sam Jacques] They’ll be in the CEO’s office yelling about it for sure.
[David Spark] Yeah, all right. From Vickie Urias of Avnet says, “How do you ask…?” Oh, I like this one. “How do you ask for budget when companies with bigger budgets than you…” Thinking like MGM. “…are getting breached?” So, you go to the board and say, “I need more money.” Or you go to the C suite, whatever, and say, “I need more money.” And they go, “Why do you need more money?
MGM just got hacked, and they’ve got way more than us.” How do you respond to that?
[Adam Zoller] I would fall back on, again, this is a risk problem we’re trying to solve. And if you’re not having those risk conversations with your board, with your CEO, and trying to quantify cyber security risk and the problems that you’re trying to solve, every dollar that you spend in your cyber budget should be tied directly to a measurable risk that you’re trying or reduce or cyber security maturity that you’re trying to drive forward, or a regulatory need.
So, I think the conversations about looking at MGM or Cesar’s… Again, hats off to them. I know they’re going through a terrible time, or they’ve gone through a terrible time. No one wants to see that happen to anybody. But comparing yourselves to these other organizations is an effort in futility.
[Sam Jacques] I would agree. I actually don’t even have conversations about money because the money conversation is not the conversation you need to be having, especially with your board. The conversation needs to be about what is risk, where are we with the risk tolerance, and where are they comfortable drawing the line, and what can we do, and what can’t we do.
It’s easy enough for you as a CISO to say, “Well, if you want to get this secure, if this is what you want us to look like, it’s going to cost X money.” Then it’s up to them to say yes or not to X money. If they want to draw the line somewhere else, that’s where we have to meet them.
[David Spark] All right, I want to squeeze two more questions in the last few minutes we got. This comes from Phil Englert who’s with Health-ISAC. “How do you take advantage of the new FDA requirements?” Which are requiring actual security in devices, or they can’t be distributed to the marketplace.“How are you taking advantage of these for device manufacturers?”
[Sam Jacques] Yeah, so this is a new thing that’s coming out. It went into full effect October 1st, so it’s a very timely conversation. We as healthcare entities aren’t going to see this for a little while because products are going to take a little bit of time to get through the FDA and actually get approved.
But I will tell you as security professionals who do those intake kind of questions when we’re assessing new technology coming, you better be changing your intake questionnaire to ask about, “Have you implemented these new requirements? Tell me how you’re doing it.
Tell me what your communication looks like. Show me exactly how it’s going to be different than it was in the past.” The other thing I’ll tell you from an implementation type of perspective is this is a step in the right direction, but it doesn’t necessarily get us everywhere that we want to be.
And so having those open and honest dialogues with your vendors, especially your third party vendors that are a lot of risk to us at this point, is something we have to get much more accustomed to doing on a much more regular basis.
[Adam Zoller] No, I agree 100%. Look at updating documentation, your third party risk assessment process, and holding your vendors accountable to conforming to these new guidances that are coming out of the regulatory entities. I’ve had too many calls with too many vendors about how they’re not conforming to really very basic security controls.
[David Spark] All right. Very last question. I want quick answers on this. This comes from George Eapen of Petrofac. “What’s easier, becoming a CISO or staying a CISO?”
[Laughter]
[Adam Zoller] You want to take that one?
[Sam Jacques] Yeah, so funny enough Adam and I were having a little conversation before this meeting, and we were talking about how easy it is to get fired as a CISO. In reality though, if you’re doing the right thing, if you’re focused on risk and you’re having conversations to really bring an enterprise risk management strategy to your organization, it’s very hard to fire you.
So, in my mind, it’s maybe easier to become a CISO than it is to get fired from being a CISO.
[Adam Zoller] Look, I think if you have the right aptitude and the right attitude, you can become a CISO. Anyone can be a CISO with those two elements. I think staying a CISO is a very personal question, too. And often times what’s getting overlooked is your personal goals and aspirations.
And if this is really right for everybody… I can tell you, it’s a very high stress role. It’s a very rewarding role, but it’s not for everybody.
[David Spark] Do you think I could be a CISO?
[Adam Zoller] Absolutely.
[David Spark] You’re absolutely wrong on that one. Not a chance.
Closing
[David Spark] All right. Thank you, everybody. Let’s hear it for my guests right here.
[Applause]
[David Spark] Adam Zoller, who is the SVP and CISO over at Providence and also Sam Jacques, who is the VP of clinical engineering at McClaren Health. A huge, huge thanks. I can’t thank them enough, Claroty. If you’re not aware, secure your cyber physical systems.
For those of you listening at home, or in your car, or when you workout…however you’re listening to us right now, go check them out at claroty.com. I’m going to let you both have the last word. Any last thoughts on today’s conversation?
[Adam Zoller] Join healthcare. We need all the talent we can get. It’s a very, very rewarding career path.
[Sam Jacques] I agree. It’s a very mission driven place to be. And so if you truly want to help people, come find us.
[David Spark] All right. Well, thank you very much to the audience. We greatly appreciate you contributing and listening to the CISO Series Podcast.
[Applause]
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, ciso-dev.davidspark.dcgws.com. Please join us on Fridays for our live shows, Super Cyber Friday, our virtual meet up, and Cyber Security Headlines Week In Review.
This show thrives on your input. Go to the participate menu on our site for plenty of ways to get involved including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@ciso-dev.davidspark.dcgws.com.
Thank you for listening to the CISO Series Podcast.