Innovating Beyond Frustration | UnHack the Podcast with Anahi Santiago and Krista Arndt

This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong. Innovating Beyond Frustration | UnHack the Podcast with Anahi Santiago and Krista ArndtUnhack May [00:00:00] Drex DeFord: I'm Drex Deford, president of Cybersecurity and Risk at this Week, health in the 2 29 Project. Our mission is healthcare transformation powered by community. Welcome to UnHack, where we navigate healthcare security challenges together because cyber safety is patient safety. Let's get started. Hey, everyone. I'm Drex and this is UnHacked Podcast. I'm really lucky today. I've got Krista and Anahi with me. How you doing, ladies? Good to see you. Krista: Yeah. Excellent. Drex DeFord: Excellent. Perfect. Awesome. Anahi, I'm gonna start with you. Tell us a little bit about your background, but in the pregame, uh, kind of warmup, uh, apparently you have a anniversary coming up. Anahi: I do. You know, Easton, yeah, I'm the CISO at ChristianaCare. Uh, Christiana Care is the largest health system in Delaware with, facilities in New Jersey, Delaware, Maryland, and yeah, so on Star Wars Day, I [00:01:00] will, uh, celebrate my 11th year as their CISO- Drex DeFord: Wow. ... Anahi: it's mind-blowing. I never in a million years thought that I would be here for 11 years, but honestly, I can't imagine being anywhere else. Drex DeFord: So just so that everybody knows, when we started to, started talking about May the 4th on, uh, our email thread in advance, Krista immediately had some breaking and amazing news. Krista: I Drex DeFord: just, Krista: I did this for you, Anahi, today. This is where my background- ... For you. Yeah. So the Mandalorinian Grogu, I was like, yes, Anahi, it comes out on, like, May 22nd or something, and I will literally be one of the first people there to see it. Anahi: I literally ran downstairs and, and said to my husband, I'm like, "Did you hear about this Kroger movie?" He's like, "No, how did I miss it? " I'm like, "I don't know how we both missed it, Drex DeFord: but- I missed it Anahi: too." So good. You're welcome. Drex DeFord: Yeah. So good. So Krista, tell me a little bit about [00:02:00] your background and, uh, what's going on at St. Luke's. Krista: I have a lot of different. Things I've done in my life and, uh, very non-linear, but I've worked in, um, the Department of Defense Crypto Finance. I was actually a national orthopedic healthcare CISO before I came to St. Luke's, and then I came to work under an amazing, uh, leader, uh, under David here when they opened up a new associate CISO position. Uh, so I have a lot of background from a lot of different verticals, and it's fascinating to see how differently everybody attacks the similar problems and then how, how many other, um, unique obstacles healthcare has. So I've been here two years now. Um, my anniversary is not as cool as Anahi. Uh, it's just at the end of June, so but yeah, I'm at St. Luke's University Health Network. Uh, so we, 16 campuses, um, I wanna say about, like, probably 26,000 employees right now, um, a ton of outpatient sites and affiliates who are all amazing. Um, and really our focus is to innovate in, in [00:03:00] spaces that make care decisions, um, more effective for our patients. And, and so, um, our CIO and team are doing a great job with that, and it's really cool. We have a huge focus area on, um, creating a security program to enable, you know, the AI wave that is, uh, already being used here. And, and I just created my own domains because NIST framework can't keep up. So that was kind of fun. I love innovating. Drex DeFord: Really interesting. I was looking at some, uh, doing some research ahead of time. Uh, you're saving nearly 200 hours a month using Microsoft Security Copilot. So tell me that story. And I mean, of course, we can't have a show without talking about AI, so I'm sure we're gonna talk a lot about AI. Krista: that honestly is all my team. Um, and I'll say The short story is getting rid of mundane administrative tasks with ticket review, ticket triaging, closure and things like that because Copilot is very [00:04:00] intuitive, so it's helping us to, uh, to attack and, status and remediate tickets without any human intervention. And then it also is enabling us to document closure actions, document, um, incident summaries and all that stuff that used to take security analysts, uh, a million hours to do to save money to move them onto project work to help us innovate our program and really make everything as autonomous as possible in security. Drex DeFord: How did you start? What was the, how, how did you get kicked off? What was the- Krista: Frustration? Drex DeFord: Yeah, okay. Krista: Drex and I were talking about psychology before you came on Anahi and I think it's human nature that we only innovate out of necessity and frustration. Like you have to have a motive for it. And so frustration, the fact of we get so many tickets to address that you just, you, there's not enough manpower, right, with how quickly the speed of business is moving. And so my team always [00:05:00] looks to, how can we improve it? It's not, "Oh, we'll never keep up." It's, there's gotta be something we're missing. Like, how can we automate? Um, and then where do we keep a human in the loop? So really the team came together and was like, okay, you know, they, the whole point of AI, because we're a Microsoft design partner, which is also very helpful, is to, to help automate and move the administrative stuff, the, the repetitive stuff off of people's plates, and really that's where they focused. Um, and they freed up a ton of time and, and energy, so now they're helping to build out the controls for ... I, I feel like we should start drinking every time we say it, but for our AI enablement, the organization. Drex DeFord: Uh, this was a thing that actually, um, we talked about, uh, A- Anahi was just with us in a summit in, uh, in, uh, Dallas. I know that you're coming to Lake Oconee, um, Krista, but we had sort of joked about, we have joked about in city tour dinners as we cross the country that when you say AI, you have to take a drink, and that turned ugly very quickly. And so I've sort of taken that, uh, particular play off the, off the playbook, and we don't, we don't do that [00:06:00] anymore. Um, it's interesting the psychology part of this though, um, one of the things that I've said for a long time that I'm sure I stole from somebody is the pain of staying the same has to be greater than the pain of change, right? So it has, change is hard, but sometimes people do just get so frustrated that they have to do something different, and so they do. Um, Anahi, as you look at AI and the stuff that's happening in our world, the tornado that is happening right now, what are you using AI for? Are you using AI for, uh, any of the specific work in cybersecurity or any of the admin stuff? Anahi: In the cybersecurity space, we are ... I think like everybody else, I, I don't think I'm, we're as far along as Chris is in terms of all that automation, but it's exciting to hear because, of course, now I'm gonna go back to my team, um, and add this. We actually have, um, we're in the process of an AI challenge where, um, each member of our team [00:07:00] is coming up with its own innovative s- solution on how to solve a problem with AI. And at the end, we're gonna vote and the winner is going to get a prize. We're trying to make it fun, um, for, for the team just, you know, we all need distractions, and this just feels like a p- really productive way of distracting our own team members. But, you know, a- automation, leveraging it to, um, do administrative tasks, we, we are a Copilot shop. I, I find myself using Copilot more and more as an, as an organization, we are very bullish on AI and are, you know, have rolled out ambient listening, which is really helping our clinicians reduce their pajama time. They, they're calling it a life changer. Um, we are, um, implementing it for, you know, revenue cycle optimization, [00:08:00] OR and nursing schedule optimization among other things. Um, we've gone pretty much in on Palantir and using that as a defacto platform for advancing our AI initiatives, but, um, I actually am coming off on the heels of a board leadership summit, um, that our CEO hosted on Wednesday where she invited this gentleman by the name of Justin Utley. He's a Stanford professor and has, uh, like an AI podcast. And his whole message that morning was around, if you're not, if you're not using it ... He, he said, "If you, if you're using the word using AI, you're doing it wrong. You should be working with AI and you should have five different types of AI assistants to assist you in everything that you do. And if you are improv- improving your productivity by 10%, you're doing it wrong. It should be 10 times." Yeah. And, and he, and he [00:09:00] just walked us through how to effectively use the AI in ways that I hadn't even imagined, um, in terms of don't just give it a prompt, have a conversation with it and you see how much quicker it comes to solutions that you didn't even know, um, you had. And so I, I, I'm, like, super excited now because I, I'm using AI, honestly, to figure out how to remodel or how to model my new home. Like, instead of trying to figure out or go on ins- uh, or on Pinterest to try and figure out, like, how to m- model my new living room, I'm having AI do it for me, given my f- my taste. And so I, I'm, I'm going off the rails. But the bottom- Drex DeFord: It's okay. ... Anahi: organization starting with our leaders and our board are really pushing and promoting the use of AI across the organization as a true differentiator, not only competitively against [00:10:00] others, but to just improve our efficiencies, productivity, and hopefully just the work-life being. Krista: , The work-life balance is a huge part of it for anybody in security. It doesn't matter if you augment with twenty four seven SOC and this and that, like, you are still always on call in a sense. And so it's very hard cognitively to, to disconnect. So I hope to see what you're talking about is the AI human singularity. And so they're predicting, um, in Ray Kerswell's book at least, and he helped build AI back, like, 63 years ago at MIT. He's predicting singularity somewhere around, like, 2042, but it, it's always a trust singularity issue, right? It's because people don't, A, know how to use it, B, trust, the output, which rightfully so, right? It's still, still growing up, it's still a teenager, but I am, I, I'm so excited to see that come to fruition. I mean, to the point where I used Claude, I, I, in, I think it took [00:11:00] me 20 minutes to build a drill down, um, threat intelligence and management dashboard in Microsoft, uh, Azure Power Apps. So it's like that would've taken months of someone to put that together in an implementation playbook by hand. Anahi: I'll give you a couple more examples. Like, um, well, we're saving money. I, I had, um, I had a, a firm on retainer to build star rules for SentinelOne because my team just didn't have the, um, coding skillset to do so and, uh, and capacity, right? Like, we, could, could they figure it out? Yes, but it was faster just to face somebody else to do it. Copilot can do it now. There's no need, um, to leverage that, that retainer money. And, um, I just learned that, um, our GRC engineer who used to pay a consultant to help implement, um, our integrated, uh, risk management platform, she's using Claude to, um, you know, to map out control objectives, uh, um, against frameworks [00:12:00] and to do whatever coding we need to do in our ServiceNow platform because she doesn't need a consultant to do it. I mean, uh, these are cost savings, um, business improving methods that we couldn't have done without AI. Drex DeFord: There's a lot of things I wonder about too. Um, as you look at your consulting contracts, as you look at your vendor partners, um, they're doing the same thing. They're using AI to be way more productive. And so I think one of the questions or one of the conversations probably to have with your partners is, "I know what you're doing back there, uh, that means more profits for you, but does it eventually mean a lower price for me or a better, you know, a product, new products more quickly?" What does it mean for me? Like, have that conversation with your partners too, right? Are you, are you thinking about that? Have you, have you, have you had those kind of conversations with any of your partners yet? Krista: I'll say because they're amazing and they've been a [00:13:00] huge partner since day one, in just making sure we have what we need and we're in the early implementation stages, but some Paris and we were talking about them before we came on here. Uh, yeah, absolutely. So, uh, it allows them to innovate their products more quickly. And I was just riffing with their chief product officer and the product owner last week about, um, what it really means to recover agents and things like that and how they're now attacking that and the dashboard more, or not the dashboard, but their capabilities more quickly and helping to build out Ready One for instant response and, and put some, um, some automation in there. So I think any good partner and I, so to your point, you have to have that conversation. Any good partner will say, you know, "Yes, but what are your ideas? I wanna incorporate them." Drex DeFord: Yeah. I think the advice to partners would be engage your customers, have the conversations with them, talk to them about how you're using AI to make your product better and safer and faster and hopefully [00:14:00] cheaper, um, and that, that goes a long way toward building trust with that company too. And you were just talking about Semperis. So you're in the movie too, right? Is that what you, you were telling me that earlier? You're in the, the simplest movie. Krista: Yep. Yep. So, uh, Midnight in the War Room and, and all of that, so talking about intentionality of decisions and, and where you should spend your time, I took a chance, um, due to a recommendation from one of my really great partners at CDW that I should go to hybrid identity conference. And so I got to know everybody there and I was supposed to be able to do a customer testimonial and I got pulled into doing a, a little bit about my drag racing and kind of blowing off steam for mental health, um, for Midnight in the War Room. And it blew up into a whole conversation about, uh, advocacy for, uh, mental health and work-life balance out of that. So it, it's amazing how quickly that has taken off out of just a, an intentional [00:15:00] desire to learn more about, you know, identity as part of the program. Anahi: That's incredible. How much fun? Krista: It was a blast. Oh my God. You should come this year. You have to come. Drex DeFord: One of the things that you and I and Krista had sort of talked about in, in our, uh, prep, prep discussion was, uh, figuring out how to make yourself, um, better, your s- your team better and safer from a mental health perspective. There's so much work, there's so much pressure, there's so many things that are going on. Just physically and mental health-wise, what are some of the things that you do to, to make sure that you and the team stay on top of it? Anahi: I mean, uh, you know, personally, I'm very, very protective of what I call my work-life harmony and, and, um, really draw a line when it comes to ensuring that I'm given my best at work and I'm given my best at life. And, um, and that, what, what that means, it's, you know, it's not fifty fifty. There are some days where, or some weeks where perhaps [00:16:00] I'll work a little bit extra because there's a project that needs to get done or there are deadlines. There are weeks that I spend a couple of days at business person specials watching the Phillies play at 1:00. I heavily considered doing a double header yesterday going to the 12:00 game and the 5:00 game didn't work out, but I would've- Yeah. ... and wouldn't feel bad about it. And, um, and so for me, it's important that my team sees me em- emulate these behaviors and that they see that I ha- that I travel, that I go out, that I run marathons, that I do all of the non-work things that are important to me, and, um, and so that they can follow suit. And, you know, often we say family before work. So if someone needs to take off in the middle of the day, I don't wanna see a calendar ho- holds for PTO for a couple hours in the middle of the day, just go. Mm. Um, and so we are not [00:17:00] only constantly pushing our teams to ensure that they're investing in their work-life harmony, but also that they're invested in the, in themselves, and whatever that means for them, whether it's training, going to conferences, um, networking with other peers, I mean, really building a, an ecosystem for them that helps them to feel like they're successful. And, and so that dialogue's constant, and it's intentional, and we're constantly checking in on them to make sure that they're feeling that their stress levels are manageable, and if they're not, we have conversations around why not. Uh, recognizing that, you know, when you have up and coming individuals, they're less likely to take the liberties that I feel very comfortable taking, so really encouraging them to take them because they're necessary in order for them to feel healthy, rested, and productive. Drex DeFord: That's paid off for, [00:18:00] with retention, too, right? Your, your team is- Anahi: Yes. Yeah. I mean, I, the, our retention levels are incredible. I have a relatively small team, and the attrition rate, i- if, if I've had one person every two, three years move on to a different, um, organization, it, uh, I, I'm probably exaggerating. It's probably less than that. That's how low our retention levels are. Drex DeFord: That's amazing. Kristen, I know, I, I know you do a bunch of stuff outside of work too. Both of you do. I mean, it's really kind of interesting as I watch you on LinkedIn, but I mean, I'm in, you know, we're involved kind of, uh, in a Venn diagram way in each other's lives and other stuff through HISAC, the stuff I watch and read and, and vice versa on, on LinkedIn. But I know you're involved in women in cybersecurity, uh, you've been involved in, uh, InfaGard. Uh, h- how are you, w- how do you think and how do [00:19:00] you work the balance and all of that? And Krista, I'll start with you, and then Anna, I wanna hear from you too. Krista: One, one of the first places, I'll tell this story, because I like to do this about Donna Ross all the time, too, because she had such an impact on my career. One of the first places that I got to know Anahi was through Wesis. Um, so I think it is very important to be intentional about what you do. We get invited to so many events that I could literally never be home, but to Anahi's point about work-life balance, I have a child and I have a husband. Like, I, I am working to provide for them and to experience with them. And so, um, the way I balance it is, you know, I'm a WeSIS committee chair. I can't always make our events, but I make sure that I support in some capacity behind the scenes to help make that event a success for the people who can attend. And so I think really the intentionality of where you go is gonna be the most important. Um, I took on two events ... Uh, I did an overnight to RSA on a whim because I was a finalist for the, um, Resilient CISO Award and, like, that [00:20:00] never happened. So I was like, "Oh, why not? " Like, being there helped me open up more doors and to get more context for our, um, AI security innovation strategy. So it's like there, there's a negative connotation, I think, on conferences, and I wanna shut that down. Some of the best relationships that I have made is through networking at conferences. You don't always get, you know, innovative information, right? You might just be like, "Oh, reinforcement, I knew that. " But some of the reason we are where we are today is because of the relationships I've made, because I placed myself out there at certain events intentionally to say, like, "I know who, what this is about, who's gonna be there, who I plan on targeting to have conversations with, spend time with. And, and that really does help you in your program and your team, because it makes it easier for a team if you can defend, you know, innovation or spend in your program. And so I really just try to support the people who still support me and have supported me and given me confidence through my career to, [00:21:00] to get here. Anahi is a big part of that. Um, and so if someone's having an event, like I just did Alicia and Quest Circle, um, one of my friends works for Robert Hath and she put together this mom and daughter mentorship thing for people up and coming looking for jobs. And like, did I need another event on my schedule? No, but my daughter actually came with me and sat there while I helped interview and, and to guide some of these young women in STEM. And so it's like, if it helps other people, and it's, again, I use that word a lot, but it's intentional and you know that you can make an impact in some way, I say, "Try to fit it in. Drex DeFord: A lot of good modeling behavior, right? I mean, Anahi sort of talks about this work-life balance thing, and I'm like, "My life is my life, and my work is my work, and I want my team to feel the same way." You're modeling that same behavior in associations, or they're not even associations. I mean, you know, you're, you're building community, you're making connections, you're, you know, creating those kind of new friends for yourself and for your team in many cases, right? [00:22:00] Anahi, you do a bunch of this too. How, how, how do you, uh, how do you keep it all squared away? Anahi: Uh, you know, uh, I, I was actually telling somebody earlier today, um, that I'm really lucky to work at ChristianaCare because they understand how important it is for me to make an impact and to influence the industry, and they give me free license to do and go wherever I need to do to make that happen. Um, and, you know, my executive platinum status with American Airlines isn't because work requires it. It's because I want to attend these events. I, I want to serve on the Health ISAC board of directors and help, um, that organization help the industry. I want to serve on the Healthcare Sector Coordinating Council's executive committee and help that organization improve the healthcare industry from a cybersecurity posture, not [00:23:00] just my organization. And being a thought leader not only helps me to, uh, do some of that influence that is so important for me in improving the industry, but it also helps me to learn from others. We're at the top of our field. Our CEO, our leaders are not teaching us how to do cybersecurity. They are expecting that we are teaching the organization how to do cybersecurity, but we don't know everything. And if we pretend we do, we've already failed. And so learning from our peers is really the only way that we can all be successful. Economies of skill, if you, if you wanna call it that, you know, Drex, you and I were just in Dallas. I came back so excited to share with my team and with my leaders some of the things that we discussed and, um, and some of the innovative ways that we could do things [00:24:00] differently. And I wouldn't have been able to do that if I hadn't spent- Put yourself out there. ... you know, a couple days with 14 other CISOs that are all trying to solve the same problems that we're trying to solve. So for me, I think it's really important to get out there, um, be a sponge and also share the expertise that we have with others so that we can all, as an industry, become better. Drex DeFord: Yeah. Well said. I mean, I think you get out there and you teach and you coach and you learn and that's, you know, that giving back is the karma credits just build up for you. So it's a, it's a good thing. Okay. Uh, I'm probably getting ready to wrap up here, and I'm gonna ask you a question. Anahi, you've heard this one before, so I'm gonna let you go first. This is the lightning round version, uh, of the podcast. The question is, you're giving a keynote at a massive conference and you need to, uh, come up with a walk-up song. It's a [00:25:00] song that, you know, they're gonna play as you walk up to the stage. What's your walk-up song, Anahi? Anahi: So if you, if, if you ask me that question differently, if you ask me, "What would be my walk-up song to, you know, if I was an NFL player- Tell you it when they come for me by LinkedIn Park." Drex DeFord: Oh, Anahi: yeah. But profAnahity and it's a little, like, so probably not appropriate for a conference where I'm trying to exhibit leadership skills and collaboration and knowledge sharing. Um, so I would say whatever it takes by Imagine Dragons. Oh. Um, I just, I love the lyrics. I love the message. To me, um, I think we can be and do anything we set our minds to, uh, but that takes, you know, Krista's used the word intentionality. It, you have to be intentional about it. Things don't just fall on your lap, but if you really want it, whatever that is, whether it's [00:26:00] finishing a marathon, whether it's become a CISO, whether it's becoming President of the United States, you can do it. It's gonna take grit and work, um, but for me, whatever it takes is how I'm gonna get to where I need to go. Drex DeFord: Love it. Krista, what's your song? Krista: So I get two of them, and I have to put this out there because I like to laugh at myself with my, uh, my authenticity soapbox lately. Um, personally, if I didn't have to worry about being professional, my theme song is, uh, I think her name is Ellie King, and it's America's Sweetheart. I'm not everybody's mold status quo white collar CISO, but you love me anyway. I like that. Um- That's good. What was Drex DeFord: the Krista: other one? So a math for my team and for a conference is Imagine Dragons Warriors. We're the Warriors. We built this town and it's gonna continue to be a challenge, but somehow we're gonna, somehow we're gonna continue. [00:27:00] And it's just very motivational to me, and I find that when I'm having a difficult day where I need to hype up um, that one always does it. I think it hits all marks. Anahi: Imagine Dragon's Radio. For me, It gives me the energy boost to whenever I just need to get amped up. It's, um, there's a reason we get along so well. Krista: So, so Dra- I have this question, guys. When are we going to start a 2:30 or a 2:29 podc- project playlist on Spotify so people can actually listen to and submit to contribute to their hype songs? Because I think this is great. Drex DeFord: I love it. That's a great idea. So here's what has ha- sort of happened. As we have done 229 Project Summits, there's usually some version of a question that has to do with music that we do, um, as part of a wind down, um, one of the days. Uh, I take those songs and I put them into Spotify playlists. And so if you go to Spotify and you look up UnHacked Drex, there's several playlists out there from [00:28:00] several of the summits that we've done in the past, but I'm totally open to, and as soon as we are done, I will go set up a Spotify playlist that is open in collaboration and people can put in their own hype songs. So go look for that on Hack Drex. We'll call it Hype Songs or something like that. And we'll see what people put in there. Krista: Let's do it. Drex DeFord: I love that. Krista: Seanahi, you're all still influencing even talking about music. Drex DeFord: Thank you guys so much for being a, a part UnHacked podcast. It's good to see you. And, uh, Anahi, it's always good to hang out with you. I'm glad I got to see you. And Krista, I'm gonna get to see you in a, in a few months. Um, any last words before we go? Anahi: Uh, no. I mean, th- thanks for having us. Um, to the audience, you know, keep at it and keep having fun while doing it. Drex DeFord: Okay, thanks. I- Oh, Krista, go ahead. Krista: Groger's specific leadership lessons, you don't need to be the loudest person in the room to have an enormous impact. Drex DeFord: I love it. Anahi: That's true. Drex DeFord: Yeah, that little guy. Uh, thanks again. I'll, I'll, [00:29:00] we'll see you soon. Thanks for joining on UnHack. Remember, we're not alone in this. Every healthcare leader needs a community to lean on and learn from. Join our community at this week, health.com/subscribe and share this not only with your security crew, but with your entire leadership team and staff. Together we are stronger.