Cybersecurity controls almost inevitably create some kind of friction in the business. In some industries, that friction can be inconvenient. But in a healthcare setting, that friction can cost lives. How do we keep these organizations secure when there is so much at stake?
This week’s episode is hosted by me, David Spark, producer of CISO Series and Andy Ellis, principal of Duha. Joining us is Janet Heins, CISO, ChenMed.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Guardsquare
Full Transcript
Intro
0:00.000
[Voiceover] What I love about cybersecurity, go!
[Janet Heins] I love learning about the business and going into all the little nooks and crannies of the business and finding out what makes it tick and what’s important and how I can help.
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark, I’m the producer of the CISO Series. And joining me as my co-host for this very episode, you all love him. He is the principal over at Duha, none other than Andy Ellis. Andy, say hello to the audience.
[Andy Ellis] Good afternoon, folks, or good morning, good evening, or good night.
[David Spark] And what language is that in, Andy?
[Andy Ellis] That would be American English.
[David Spark] American English, okay.
[Andy Ellis] Because I said “folks.”
[David Spark] Folks, okay. If it was in British English, what would it be?
[Andy Ellis] Blokes.
[David Spark] Blokes, okay, folks to blokes. [Laughter] All right, I like it.
[Andy Ellis] And if it’s Australian English, it’d be mates.
[David Spark] Ah, good point. All right, our sponsor for today’s episode is a brand-new sponsor of the CISO Series. It’s Guardsquare – mobile application protection, multi-layered protection, unified with automated security testing. Detect threats in real time and trust that it’s your app interacting with your APIs, more on just that a little bit later in the show.
Andy, you want to know what my [Inaudible 00:01:24] is today?
[Andy Ellis] What is it today?
[David Spark] My issue today is my fish tank. So, I have always had a fish tank. This is, I think, the fifth one I’ve sort of, in all the years that I’ve lived, you know, since college I’ve had a fish tank of some sort.
[Andy Ellis] Mm-hmm.
[David Spark] And it was discovered there was a pinhole leak through one of the seams, luckily at the top of the tank, so at like the top third of the tank. And it was one of those things where there was literally a very slow drip and there was this big puddle on the floor.
I’m like, “Ay, yi, yikes.”
[Andy Ellis] Were you able to put like a ball into the pinhole?
[David Spark] No, it’s not.
[Andy Ellis] And then seal it? Because then you’d have a pinball.
[David Spark] No, no pinball, no ball. Very funny. It’s actually not far from where my pinball machines live. So, I did try good old fashioned Gorilla Glue that works on glass. That does not work at all.
[Andy Ellis] Mm-hmm.
[David Spark] You need to literally fix the seam on the inside. Well, not easy when there’s fish still swimming in the tank. So, I’ve come to the position of I got to get rid of the fish. And most aquarium stores will take donations of fish, like when people have a situation.
[Andy Ellis] Okay. Or you could have sushi.
[David Spark] [Laughter] That is true, I could have sushi. But I will tell you, these fish are not that big and there is not much meat on them. So, amazingly, one of the aquarium stores I called, they were like, “Uh, I don’t know if we can take them.
Like, we have a big order coming in.” And I’m like, “Ay, yi, yi. Forget you people.” And I found another one that’ll take them. It’s just a little further drive. But that will be my project, and I’m putting them in a bucket and taking [Laughter] them to another fish store to donate them.
[Andy Ellis] Your stories get fishier and fishier every week.
[David Spark] Oh, and your jokes get lamer and lamer. [Laughter] All right. So, now you know what I’m going to be doing later this afternoon.
[Andy Ellis] Do you know something? Maybe someone will get them, we’re recording this during Hanukkah.
[David Spark] Yeah.
[Andy Ellis] But maybe those’ll become a Christmas present for someone.
[David Spark] It could be. Or it could be Hanukkah because we’re on the last few days of Hanukkah.
[Andy Ellis] It could unless I suspect at this point, parents are not running out to get the Hanukkah presents for the seventh or eighth night but could be.
[David Spark] Well, not only that, luckily, this is, by the way, my most successful fish tank, and some of those fish in there are over two years old.
[Andy Ellis] Wow.
[David Spark] So, nobody wants a two-year-old fish. I’ll tell you that much.
[Andy Ellis] Yeah, you should be sending them to like the assisted living facility.
[David Spark] Yeah. But there’s no way to look at a fish and know that’s a two-year-old fish. I can’t tell.
[Andy Ellis] I don’t know that I can tell other than by the smell, but you know, I mostly work with fish for cooking.
[David Spark] When they’re swimming, you really can’t smell them.
[Andy Ellis] Yeah.
[David Spark] All right, let’s introduce our guest. Thrilled that she’s here. One of our absolute favorites. She is the CISO over at ChenMed, none other than Janet Heins. Janet, thank you so much for joining us.
[Janet Heins] Hey, it’s great to be here. Thank you.
Understanding security sales
4:18.527
[David Spark] What happens when a CISO tries to buy something? Andrew Becherer, CISO at Sublime Security, recently detailed his Kafkaesque journey through vendor “Contact Sales” forms. Unlike the typical cold call outreach, Becker flipped the script.
He actively sought out four vendors, filled out their forms with real details, and essentially gift-wrapped himself for their sales teams. The results? One professional response, one display of chaotic inefficiency, one requiring a LinkedIn deep dive to find a human, and one that might be a honeypot.
The irony is that when you’re ready to buy on your own terms, vendors can’t seem to answer the door. So, what’s really happening here? Is the vendor buying experience actually this broken? Or are security companies so focused on outbound sales that they’ve forgotten to handle inbound intent?
And for you, I’m going to ask you, Andy, what’s worked to actually get a vendor’s attention?
[Andy Ellis] The interesting thing here, I would love to know the size of the companies he did this with, and maybe I’ll reach out and ask. Because what I often see is that companies treat their marketing team and their sales team as very separate entities, right?
There’s a marketing pipeline that then kicks people over into a sales pipeline.
[David Spark] Yes, I would agree.
[Andy Ellis] And marketing owns the website, and so you fill out that form and you would think it’s going right to somebody in sales, but instead it often is ending up in some queue now for outbound because there isn’t an inside or direct sales organization, especially in a smaller company.
Once companies get larger, you would hope that somebody typing in that form, it goes right to a sales rep who’s going to turn around and call you immediately and be like, “Hey, great, I’m very happy you’re here,” and in a mature organization, that is actually what you want to aim for.
Like your goal is to have everybody be inbound.
[David Spark] Sure.
[Andy Ellis] Because it means your marketing and messaging is working, people know you, they’ve done the research, they’re coming to find you. But in reality, what’s happening is we’re trying to build these full-service marketing sales organizations, we don’t have enough people, we don’t have people who even understand how that pipeline should integrate.
And so, somebody owns the website, they put in this form, and so you fill it in, it might just go to the content manager. And if they got laid off last month, maybe it’s not going anywhere.
[David Spark] Well, also, I would assume a lot of this stuff that comes through the form may be garbage and nobody wants to be dealing with that.
[Andy Ellis] There’s a ton of garbage there. The number of CISO communities I’m in, where when a CISO wants to buy, they say, “Hey, who has a contact at?”
[David Spark] Right.
[Andy Ellis] And then another CISO’s like, “Oh, yeah, I’m a customer there, I’ll introduce you to my sales rep.” When I worked at Akamai, I would say I probably had one of those a week, where a peer came to me and said, “Hey, I want to buy from you, can you get me a sales rep?”
[David Spark] Right, and also someone you trust because you feel like if you go through the contact form, like, well, you’re going to get the lowest of the lowest, probably.
[Andy Ellis] Yeah, and it’s painful because like in an enterprise company, you’re going to have to go find the right sales rep. Like if I’m the CISO of the vendor, and you want somebody, I have to go find out who’s going to actually get the commission, and make sure you talk to them.
Because otherwise, the person who you first talk to is like, “I don’t get paid if we close a deal here because that’s not my account.”
[David Spark] Good point, all right. Per Andy’s description, sounds pretty broken. Have you had this experience, or colleagues, Janet?
[Janet Heins] Well, I think you nailed it. I think what’s happening is that they’re so focused on banging on my door, that they’re not looking at their own door, right? They just don’t, they’re all outward facing. And personally, I’ve never filled out a form.
I’ll admit to that because I don’t think they go anywhere. Who knows? You hit enter, and it’s gone. And you get back that little, like, “Someone’ll be in contact with you, thanks for your interest,” and you never hear back. So, I don’t go there. I agree that it’s a peer thing, right?
You really do need to find out who’s who from your peers. And it’s like navigating without a phone book, right? You have no idea where to go. Sometimes I go on LinkedIn if it’s a company that I can’t get a reference from another peer. But as a CISO, they’re just hitting our doors.
They’re not looking at their own.
[David Spark] Well, so, okay, then my ask for both of you, if the experience could be different or better than it is now, that you don’t have to do the end around to get the salesperson that’s sort of qualified to handle you, what would you like to see instead, Andy?
[Andy Ellis] Well, I would actually really love it if marketing teams were integrated more tightly into sales teams. I think that marketing teams have sort of tried to create this independence, and it should be that, no, no, no. The website has two different roles.
One is brand and messaging, classic market function, but one is a sales function. When somebody says, “I have intent,” that needs to go right to sales. Whereas right now the problem is sales doesn’t trust marketing, so now it has to get vetted by marketing before they will give it to sales when you’ve already got somebody who’s expressed intent.
[David Spark] All right, Andy wants marketing and sales more integrated. What do you want, Janet?
[Janet Heins] I want there to be a pathway. I want there to be an actual focus, someone on the other end, right? That’s focusing on it and saying, “Oh, they’re coming to me, let’s pay attention to them. They’re coming to us, let’s pay attention to them.” This is actually the warmest call you could get, right?
[Andy Ellis] It is.
The great CISO challenge
9:34.590
[David Spark] “If your CISO reports to the same exec who creates the risk, that’s not oversight, it’s hostage negotiation.” Now that’s Joshua Copeland of Crescendo, who by the way, puts a lot of unpopular opinions out there and he really stirs the pot.
So, we love Joshua for this. So, he dropped that bomb on LinkedIn recently arguing that what we politely call alignment is really just containment. The same executive who overrides security controls signs the CISO’s performance review. He argues you can’t empower security while keeping it on a leash.
And if security leadership can’t challenge the source of risk, it’s not governance, it’s theater. The question isn’t whether this is a theoretical problem, it’s whether CISOs can actually do their jobs when trapped in these reporting structures. If you’re in one of these compromised reporting lines, what’s your strategy for maintaining independence when your boss might be a primary source of risk?
Have you been a part of this, Janet? Have you seen this? Have your friends seen this? Like, what do you do in these situations? Do you agree with Joshua? Let me ask you that.
[Janet Heins] I totally agree with him. In fact, I insist on not being part of that.
[David Spark] Good.
[Janet Heins] As far as when I look for roles, my last two roles, current role included, I am not in that line of command. And I’m a peer organization, which is much more helpful in getting things done. So, you’ve got people listening to you that normally wouldn’t even hear you.
You’d be stifled, you’d be muffled, you’d be silenced. So, I completely agree with him, and I think it should be the way CISOs report everywhere.
[David Spark] Good point. So, well, you agree. So, my question is there are a lot that are under this reporting structure. In fact, I wouldn’t be surprised if it’s the majority. What do you do if you’re in that situation? Like, let’s just say you’re stuck.
You’ve definitely negotiated well for yourself, but others have not. What should they do?
[Janet Heins] Well, I think they’ve got to find someone outside of that chain of command who can advocate for what they’re trying to get done. And sometimes it’s the risk organization, sometimes it’s risk management or enterprise risk, sometimes it’s legal, and sometimes it’s the chief financial officer.
There are different places you can go to get that advocacy for what you’re trying to do and to make sure it stays seen as a risk, it gets developed, it gets funded, and you are able to close down those risks. And the challenge is, as you raise, or as Joshua raises, that performance review, right?
And so, you’ve got to get those same advocates in the rooms that you’re not in, right? Speaking up when it comes time for performance evaluations and during calibrations of performance reviews, making sure those folks are advocates for you as well and understand what you’re trying to do and support you.
[David Spark] Very good. All right, Andy, the same question to you. A, have you ever been in this? I don’t think you have. Have you?
[Andy Ellis] Well, actually, so the answer is yes, and I’m actually really glad I have an ottoman that my feet are on because as you’re reading Joshua’s words, I’m really glad I didn’t get my feet really dirty there because boy, was he shoveling it.
[David Spark] All right.
[Andy Ellis] I actually disagree strongly.
[David Spark] Well, let’s hear it. This is what we like.
[Andy Ellis] But in a way that’s nuanced. And first of all, the CEO creates all risk, and none of us are advocating that the CISO doesn’t work under the CEO somewhere. So, at some point you have to say you do not have independent governance over the company.
Like that is not the role of the CISO. But the way that Joshua has worded this assertion, that’s what would be required to solve this. The CEO ultimately defines your compensation. Now that said, I think there’s a lot of organizations where there is an operational executive, the CIO or maybe the COO, who owns all technology and is sort of hands on that organization, and then they bring the security underneath them.
If you’re in that role, you are not governance. You are security operations for that organization. You do not sit independently from them. You have to accept that and say, “Oh, look, my job is within this organization, what can I do?” I need to learn psychology so that I can manage upwards and adjust the risk profile of this person, that I don’t get to go independently and say, “Oh, my boss is screwing it all up.” Let’s just be very clear.
The correct answer to that situation is to pick up the phone, call Janet and say, “Hey, Janet, how did you determine where to take a job where you weren’t going to get stuck in this?”
[David Spark] [Laughter]
[Andy Ellis] Because that’s just part of the job. Now, if you’re fortunate, you might have a larger span than your boss does. Like I’ve been in that role where my boss had a narrower span over technology, and I had security governance across the whole company, including over my boss.
And yeah, it created a lot of tension. And the worst cases were where he would tell me, “Oh, yeah, we need to get this work done.” I will tell your peer X to go do it, and then I’d go sit and talk to the peer and the peer’s like, “No, I got told not to do this work,” right?
And I’ve got a boss who’s doing that. And then when I go back in front of the CEO with my boss in the room, like, “Well, this work isn’t getting done yet because it’s been deprioritized over here.” And the CEO looks at my boss and says, “Well, you need to fix that,” and my boss is like, “Oh, yeah, we’ll fix that,” and then nothing ever happens.
At some point, you just accept that that’s part of organizational dysfunction in the corporate world and say, “What can I actually get done?” instead. Because here’s the real secret. There is plenty of good work to do. Stop beating your head against a wall that you’re not going to break down.
[David Spark] And I should also mention, correct me if I’m wrong, whether you’re underneath the CIO or not, you’re still working with the CIO.
[Andy Ellis] Yes, absolutely. I mean, you should be working with everyone. What I love about security very much – Janet’s cold open just hit for me the exact thing – you are the widest-reaching executive in the company. You have to learn every line of business, everything that they’re doing, and it is fun.
If you don’t enjoy that, like, go find another job. Because the real job is not how do I stop people from doing stuff. It’s how do I help make them more effective in a safe way, and to do that, you get to be right up close with them. So, you’ve got to have great relationships with every one of them.
[Janet Heins] I completely agree with Andy that you really do have to pick your battles, and sometimes I find myself pushing a big boulder up a hill and I have to stop myself and ask why. There’s so much more to do. There’s so much to do. And so, just really making sure you don’t get stuck in that’s the only pathway and thinking about what else you can do that improves the security maturity of the company.
Sponsor – Guardsquare
16:14.367
[David Spark] Before I go on any further, I do want to tell you about our spectacular sponsor and that would be Guardsquare. Mobile apps today have become an inescapable part of life, right? Ranging from financial services to healthcare, retail, and entertainment, users trust mobile apps with their sensitive personal data.
But a recent survey showed that 72% of organizations experienced a mobile application security incident last year and 92% of respondents report rising threat levels over the last two years. Meanwhile, attackers who want your users’ personal data are constantly finding new ways to attack your mobile app.
They reverse engineer it, repackage it, and distribute the modified app via phishing campaigns, sideloading, and third-party app stores. By taking a proactive approach to mobile app security, you can stay one step ahead of these attacks and maintain the trust of your users.
That is where Guardsquare comes in. Guardsquare delivers mobile app security without compromise, providing advanced protections for both Android and iOS apps, combined with a mobile application security testing to find vulnerabilities and real-time threat monitoring to gain insight into those attacks.
Discover more about how Guardsquare provides industry-leading security for your mobile apps at guardsquare.com. And when you go, let them know you heard about them from the CISO Series.
It’s time to play “What’s Worse?”
17:54.999
[David Spark] All right, Janet, I know you know how this game is played. Andy, I make him answer first. You agree or disagree with Andy. This comes from one of our favorites who I actually just saw in Austin, Texas, not too long ago, Dr. Dustin Sachs, who actually has his own new company called PsyberCog Labs.
So, this is a spanking new for him. And this is a short one, and I like this one. Get ready. What is worse, Andy? It’s a third party with a mature security but zero transparency, total black box, or a third party with weak security but radically open about issues and gaps, so you know where all their issues are.
Which one’s worse?
[Andy Ellis] So, I love this one. And Dustin, this one’s really good because I think there’s an obvious answer, but I know a lot of people are going to disagree with me. And those are, to me, those are sometimes the best where it comes down to what’s my philosophy.
[David Spark] Right, this is totally a philosophy one.
[Andy Ellis] Right, and in this case, honestly, much as it hurts, I’m going to say, like, the one that no transparency but great security because at the end of the day, I can just outbox it and I’m like, “I don’t know exactly how you’re doing it. You’re hard to interact with, but man, I don’t have breaches from you, I don’t have problems.” Whereas the vendor who tells me, “Oh, yeah, I’m a complete walking disaster.” First of all, now I know you’re a disaster.
So, I’ve got a whole bunch of new issues that just popped up because I’m aware of the problem, but I’ve got to deal with it. But you’re not going to improve because that is rule number one is I don’t get to alter the scenario.
[David Spark] Right.
[Andy Ellis] So, you are my vendor and you suck and I know you suck and you will never get better. Like, I have a hard time in that environment, even if then when my auditors show up and say, “Well, do you audit all your vendors and know what they do?” I get to say, “Yes.” The next question is going to be an ugly one.
“Well, have you fixed them?” “No.”
[David Spark] [Laughter]
[Andy Ellis] So, I’m going to go with the transparent, but bad vendor is the worst scenario. But I really love this one, Dustin, because I suspect we have a lot of listeners who are going to gravitate the other way that they don’t like the lack of transparency.
[David Spark] I bet you Mike Johnson would have said the opposite.
[Andy Ellis] Mm-hmm.
[David Spark] Because he likes to know, he likes to know.
[Andy Ellis] Well, let’s see what Janet goes with.
[David Spark] Janet, agree or disagree with Andy here?
[Janet Heins] I completely agree with Andy because once you know, you know, and you can’t unknow, and then you’ve got to deal with all of it. And if you’ve got a nice, tight, clean vendor that says, “Hey, here’s all my reports. I’m wonderful, but you can’t look under the covers.” Okay, I’ve done the due diligence I can do.
[David Spark] I mean, heck, a lot of security is trust. So, you get to a point of like, well, we’re just going to trust them and that’s how it’s going to go, and we’re done with that. Even though we really can’t see what the heck they’re doing.
[Andy Ellis] Yeah. And look, I’ll be honest. I started my career that way. When I was early days of Akamai and I’m doing sales calls, I’d have customers start asking details and I just didn’t even want to answer them. And so, I would at some point be like, “Look, we’re just stopping here.” Over time, I got to, “Look, I’ll tell you pretty much anything as long…
Like I’m not going to tell you exactly what keys we use to log into our deployed network, but I’ll tell you the size of them, I’ll tell you the algorithm, whatever.” Because 99 times out of a hundred, that just ended the conversation right there, and it wasn’t anything that an adversary couldn’t mostly figure out anyway.
So, we all know that transparency is good, but good security is better.
[David Spark] So, it’s interesting you say that, and I’ll throw this to you, Janet, for the final comment. This whole show is about security, the whole network is about security, but we spend more time talking about the subtext, which is essentially, are you transparent?
Do you know what’s going on? Because if you don’t know what’s going on, you know, the classic thing we hear from all these vendors about you can’t secure what you don’t know. We’re so obsessed with the second level and not the top level that often we just go, “Hey, if it’s secure, be happy with that.” What do you think?
[Janet Heins] Yeah, no, I think you’re right. And I think it’s because, depending on who you’re working with as a third party, what your experience has been, right? Have you experienced that you need to dive in deeper because you’ve got these people who are very transparent but don’t have a lot of security versus just saying, “These guys got it together, they know what they’re doing, and I can back off.” Because I think we’re like almost programmed to just keep diving in and diving in and diving in.
[Andy Ellis] Yeah.
[Janet Heins] And we don’t know when good enough is good, right?
[Andy Ellis] Well, and I think the key on that one, the keep diving in, is I’ve had a number of customers in the past who just kept pushing on transparency. They wanted more and more, and they wanted real time. It’s like, “I want to know exactly the software on every one of your devices all the time.” I was just like, “No.” Partly because I don’t want to deal with your questions because I know that it will not end there.
Then you’ll be like, “Well, why are you using this version?” and “Why didn’t you patch it on Sunday instead of on Monday?” and “Why didn’t you?” and you’d be so wrapped around this like micromanagement through transparency. And so, as a vendor, honestly, there is a limit of look, I will tell you my controls, but I’m not giving you real-time visibility into the operating model on my platform.
[David Spark] Well, many of the vendors are trying to sell that very concept of real-time visibility.
[Andy Ellis] Oh, they sell that they will give it to you, but they don’t actually.
It’s time to measure the risk
23:16.756
[David Spark] Buy or build is a familiar dilemma in cybersecurity. Does it even extend to risk methodologies? Rebecca Brock of Safe Security had a discussion after the FAIR conference with someone concerning building their own risk quantification methodology from scratch rather than adopting FAIR.
Now what’s gained versus what’s lost when you abandon a standardized model that’s been tested, refined, and broadly understood across the industry? FAIR isn’t a new kid on the block when it comes to risk quantification, yet plenty of security leaders remain skeptical or feel it doesn’t fit their needs.
So, I’m going to start with you, Janet. Have you seen a roll-your-own risk methodology actually work long-term and what did it take to build and maintain it? When does build versus buy work/not work with risk models?
[Janet Heins] I have not seen a homegrown or built a homegrown risk model. I don’t understand why you would. I get that there are nuances of risk models that you maybe need to adopt or focus on more or less depending on the industry you’re in and where your risk lies.
But you also, what I think you lose is you lose the ability to really do that cross-industry comparison.
[David Spark] Good point.
[Janet Heins] You don’t have the same framework. I imagine you would be constantly having to map your custom homegrown risk levels to a standard so people would understand them.
[David Spark] All right. Andy, I know you have a lot of passionate opinions about this.
[Andy Ellis] Man, this is like red meat for me.
[David Spark] Yes. [Laughter]
[Andy Ellis] Because I’m on the complete opposite side. I actually think that there are too many people who have a religious fixation with FAIR and it needs to stop in our industry. Like, let’s just be very, very clear. If you actually think that for most organizations, you’re going to be able to walk in and put a price tag on a risk project and say, “Oh, this is a $75 million risk and we’ve got to fix it,” you’re going to get laughed out of the executive room.
Just start with that one. Like, these are not actuarial problems. You cannot take the actuarial methodology that works in insurance that deals across large populations and apply it to singular individual risks.
Like, what FAIR is useful for is if you have a coherent model of your entire system space – massive “if” there – then FAIR is relatively useful in helping you highlight specific components that generate outsized risk by comparison to other components, right?
And you might say, “Oh, my God.” Like, all of the biggest things that have come up when I ran this through Safe Security in this case, since that’s our sales rep who’s saying this, oh, wow, I can just walk in and point out, but I should be able to tell the story.
I don’t need to say it’s a $75 million risk. I should be able to say, “We have this critical library exposed to the public on our web server that can write directly into our production system. We should hide that.” And everybody would be like, “Oh, yeah, you should do that.
That makes sense.” Okay, great, thumbs up. Let’s go solve the problem.
So, I actually think that you should use whatever risk methodology you can use that will cause people who make decisions in your company to make better choices. If that’s FAIR, more power to you. But in most companies, it is not going to be FAIR. It’s not even going to be anything that’s risk quantification.
It’s going to be risk qualification. And if anybody wants more on this one, I’ll do a little shameless promotion. Go over to howtociso.com, pull up Volume 2 on Risk, and I walk through like every risk methodology that’s out there, both quantitative and qualitative, where you should use them, which ones you shouldn’t, and how to be really precise in your language here.
But I strongly disagree with the premise here. But you might be lucky and find a company that loves FAIR.
[David Spark] No, the premise was essentially when do you build your own, when do you go with a model?
[Andy Ellis] Well, no, the premise was you shouldn’t build your own. She asked, like, this was a very leading question.
[David Spark] Well, of course, she’s with Safe Security and then she’s supporting FAIR, of course.
[Andy Ellis] Right, the answer is you build your own when that’s what will resonate with executives. I have built my own before. In fact, in my eBook is the one I built, which we called the Pyramid of Pain because that’s what it was like building it.
It was a lot of pain. But the CEO would not accept any existing risk methodology because they all had fundamental flaws. This was not his blind spot. This was the people who’d written the methodologies fundamentally did not understand how business makers make decisions.
[David Spark] But let me go back to what Janet said earlier. How do you compare yourself to others?
[Andy Ellis] The point is you don’t compare yourself to others except in very specific industry spaces. Like you’re in healthcare, what you’re often going to do is say, “Hey, look, I have a vendor that assesses me and I am 95th percentile in my industry.” That’s the comparison.
You don’t come in and say, “I’m a 7.2.” You say, “I am better than average,” “I am worse than average.” That’s mostly what your executive peers want to hear.
[Janet Heins] That’s the comparison that I’m always asked for.
[Andy Ellis] Yeah.
[Janet Heins] Across industries. How do we compare to our peers?
[Andy Ellis] Right. And the answer is whatever your vendor is, you say, “Hey, give me the industry metric and my metric with you,” and it doesn’t actually matter what the metric was as long as you can give a comparison against the measure of central tendency for your industry.
Unexpected outcomes or failures?
28:37.538
[David Spark] “3:00 a.m., heart attack patient, system locked out.” The doctor needs patient history now, but the system demands password reset, two-factor authentication and manager approval, all unavailable at 3:00 in the morning. Nadine Michaelides of Anima People posed this impossible choice.
Follow security rules and let the patient die or break security rules to save a life and create a compliance nightmare. The scenario describes using a colleague’s login to access critical information and save the patient only to face security violations and HIPAA concerns afterwards.
Rather than create an oppositional relationship, security leaders need to engage with doctors about what they need in situations like this. But more broadly, how do you design security when the cost of denial isn’t just data loss but actual lives or catastrophic business failure?
Janet, you are in the health industry, I ask you this. We’ve heard this type of scenario before. Let me just ask you, does it actually happen? I mean, is this a real scenario that happens where essentially technology is preventing healthcare workers from doing their job?
[Janet Heins] Well, certainly at my company, it’s not life or death. I just want to state that in my current company.
[David Spark] Yes.
[Janet Heins] However, in this scenario, if I was given this scenario in my role, I would say it’s the lives of the patients over everything else, right? I mean, that’s why we’re in healthcare period. And for security violation and HIPAA concerns, there’s certainly exceptions that can be documented and taken care of.
Again, we talked about transparency, right? As long as you’re transparent and you get right on it, there’s just no reason anyone would choose security over the life of a human being.
[David Spark] But this is the thing is I’ve heard these stories before. Do you, just in your colleagues and stuff, do you know, does this actually happen where someone like gets locked out of a system and they need to take care of a patient? Does this actually happen?
Or is this a more fictional thing that doesn’t happen? I don’t know.
[Janet Heins] Well, I mean, there’s lots of different ways around that. I just, I wouldn’t say that this is something that… I would say it’s more fictional.
[David Spark] Okay.
[Janet Heins] If I had to make a choice. And the reason being is it’s not just one human being that has the information about another human being, right? The doctor is not the only provider that has information about a patient. So, there’s other ways to get that information.
[David Spark] All right. Good point. All right, Andy.
[Andy Ellis] But I think the core premise, which is there are security rules that get implemented that impede the healthcare practitioners from doing their job of taking care of patients, is absolutely true. Like I know a story of a hospital that disabled the ability to print patient records, right?
Because they didn’t want someone to print the patient record and take it out of the building, but the terminals were not in the patients’ rooms. So, they were expecting nurses to memorize what they had seen and walk into the room. So, since they had disabled direct print out of the record, but they were still on computers that had a print screen button.
And so, that’s what would happen is the nurses would go to the nurse station, hit print screen, and now they’re printing more than what was in the report that they actually needed to record vitals or whatnot. And so, recognize that the humans are going to work around your system.
[Janet Heins] Yeah, or worst case, they’re going to take a picture of the screen with their personal phone, and now they got PHI somewhere else, right? They’re all going to, there’s workarounds for everything, right?
[Andy Ellis] Yeah. But here’s the mindset that I like to give people for incidents, which is sort of the initial phrasing if we accept the movie plot scenario here, which is the way you should think about incidents is this – incidents give you a credit card, right?
And the worse the incident is, the higher the limit on your credit card is. And in a sense, what the credit card is doing is buying new incidents. That if you have the disastrous incident, like there’s a patient life on the line, you have a credit card where you get to create any incident you want that does not affect another patient’s life.
Like I’m saving a life. Yeah, I can create a compliance nightmare all I want, clean it up tomorrow. I can break systems, I can violate every rule there is, as long as it is not as bad as what I’m currently cleaning up. And if you walk into that mindset.
[David Spark] Right, and you’ve got, essentially, you’ve got the credit card limit or the budget. And the whole thing is that we can have – by the way, I love the credit card metaphor here is because there are some people who pay their credit cards every month and some who do not.
[Andy Ellis] Right, right. But in this case, your credit card is just measured in lower severity incidents. I got a severity one incident? I got the severity two credit card. I can walk through and create severity two incidents all I want to fix the severity one problem.
And then now we’ll take severity three incidents to fix the severity two incidents until you’ve got this all cleaned up. It’s a great mindset for incident responders. Like this question, even if it was real, if Janet said, “Oh, my God, yeah, this happens all the time.” But nobody is going to come up with a different answer than Janet came up with, which is, “Of course you save the patient’s life.”
[David Spark] Yes.
[Andy Ellis] Like nothing else matters at that point.
[David Spark] Well, and you say it’s mostly fictional. My guess is, because I’m sure you’ve heard these scenarios before, this is all designed to say, “We want to win this way.” Yes, Janet? You see what I’m saying? That they come up with these scenarios and where everyone goes, “Yeah, of course we’re going to save the human’s life,” but they’re created to say, “We’re more important.
We have to take control of this conversation.” I’m just throwing that as an argument. Does that happen?
[Janet Heins] I’m sorry, David. I’m not following what you’re asking me. I think I got a little lost.
[Andy Ellis] Yeah, I think, let me re-ask David’s question. Because David’s saying when you’re designing the system, you’re going to roll it out, and you have the operator, in this case, the physicians.
[Janet Heins] Yeah, the doctor.
[Andy Ellis] The doctors. They’ll put in place this scenario. Now, David’s doing it as a part of their ego to say, “Well, we’re more important. We refuse to listen to you.” No, I’ve had people put out this scenario to say, “You don’t understand the business.
Why are you proposing dangerous things?” If someone said, “Oh, look, if you get locked out, you have to go take an hour before – to get yourself unlocked out – before you can return to work. Like anybody who said that to a physician should rightfully be disregarded from any conversation in the future.
[David Spark] [Laughter]
[Janet Heins] Right.
[Andy Ellis] Right? And if you’re being disregarded in that way, that’s not ego on the other person’s side. That was your ego that created that problem. That you thought you knew better than the operator how they should do their job without ever walking alongside them.
[David Spark] All right, Janet, your take. Andy, thank you for explaining.
[Janet Heins] So, my take on this is you’ve got to understand what the doctors need and when they need it. And you’ve got to also think about resiliency, right? So, whether it’s a system lockout or it’s a system down, or it’s whatever, there’s got to be, and especially in healthcare, there’s got to be resiliency built in so that you know you don’t have to say that that database, that system, that application is what’s going to save, access to that is what’s going to save the patient’s life.
There’s got to be resiliency and that’s a whole ‘nother topic.
[David Spark] Correct.
[Andy Ellis] Absolutely.
[Janet Heins] Yeah, yeah. But I totally agree that you’ve got to understand where the physicians in this case, in this scenario you’re talking about, where the physician’s coming from, what they need, and they’re the expert, not me.
[David Spark] Good point. All right.
Closing
35:59.710
[David Spark] That brings us to the very end of the show. I want to thank you, Janet Heins, who’s the CISO over at ChenMed, making sure that she’s never put into one of these fictional scenarios at all. She’s never in it, but she supports it 100%. Yes, we’re all here at the CISO Series, we are all for saving lives.
And that’s what we do here at the CISO Series. Would you agree, Andy?
[Andy Ellis] Oh, absolutely. Our goal is to save lives, mostly your life, so that your executives don’t strangle you for coming up with bad ideas.
[David Spark] [Laughter] There’s always one way that we’re figuring that out. Huge thanks to our sponsor, and that would be Guardsquare. Remember, go to their website, guardsquare.com, for mobile application protection, multi-layered protection, unified with automated security testing, detect threats in real time, and trust that it’s your app interacting with your APIs, guardsquare.com.
Thank you for sponsoring the CISO Series. Huge thanks to you, Janet, for coming. Any last words you’d like to say to our audience? About anything, for that matter?
[Janet Heins] Well, I want to make a shameless plug for a book that I wrote.
[David Spark] Oh, yes.
[Janet Heins] Yeah, called Go Ahead, Ask For It. It’s available on Amazon, and it has nothing to do with security.
[David Spark] What is Go Ahead, Ask For It about?
[Janet Heins] It’s about taking control of your career, and it’s also it helps with your personal life as well, going ahead and asking for things you want. And I don’t mean like, “May I please have?” or “Will you please?” It’s having the backing and the credibility to ask for what you want in your life.
[David Spark] I love it. And by the way, Andy wrote a book that has nothing to do with cybersecurity either, 1% Leadership. So, we will link to your book, we’ll link to Andy’s book, why not? We’ve done that before. Thank you very much, Janet. Andy, as always, we appreciate you as well.
And we appreciate our audience. Huge thanks to our audience. We greatly appreciate your contributions and listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meetup, and Cyber Security Headlines Week in Review.
This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com.
Thank you for listening to the CISO Series Podcast.