UnHack (the Podcast): Passion Over Paychecks and Hidden Risk with Mary Dickerson and Gordon Groschl

This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong. UnHack (the Podcast): Passion Over Paychecks and Hidden Risk with Mary Dickerson and Gordon Groschl [00:00:00] Drex DeFord: I'm Drex Deford, president of Cybersecurity and Risk at this Week, health in the 2 29 Project. Our mission is healthcare transformation powered by community. Welcome to UnHack, where we navigate healthcare security challenges together because cyber safety is patient safety. Let's get started. I was talking to somebody the other day. The identity is the new perimeter. Came up in the conversation between three or four of us and one of the, one of the folks in the conversation was really adamant about how identity has always been the perimeter that we used to build, kind of these layered defenses. But the reality was when somebody got through what they were going for was an identity because that's how they blended in and were able to do all the things that, all the bad things that they were gonna do. It's really interesting to take that whole alternate approach. I really like that. Gordon. You got any thoughts on that? How do you guys think about this? Gordon Groschl: [00:01:00] We went slightly in a different direction. So we actually merged our SOC with our security engineering team. So all the technologies, everything that we do in security is not combined with our SOC to allow for. I would say a completely seamless integration of all of our security technologies and making sure that we are applying best practices and principles from all angles, not just from day to day security operations, but also from. How, the way, how the soc actually looks at all of our technologies and how they're helping us protect the organization. And then we created what I would call identity center of excellence. So we combined actually our identity access management team with our, what we call directory services. So all that's intro, the active directory. D-N-S-D-H-C-P, all of those services are combined with our identity and access management team to basically allow us to drive a holistic strategy around identity. [00:02:00] And I think one thing that Mary said is interesting. I know we, this is not the new password, right? Identity is the new perimeter. And I agree with you. I think it was always the perimeter. I think We have become more aware, I guess that it is the perimeter because of when we start thinking about Zero Trust and how do we implement Zero Trust. If you go back a few years, everybody said zero trust is a network segmentation exercise. It is, but it's not, it doesn't end there. And if you don't have a solid real time, I would say decision making engine around identity that overlays all of this, then you still don't have zero trust. And I think that's where then this awareness was raised that Oh yeah, identity is the new perimeter because that's what really is the glue that keeps everything together. And it's not the network, which has been the predominant thought for the last what. 25, 30 years at this point that, as long as we have to network under control, it's all okay. Drex DeFord: It's not easy to do. It's almost in, in some ways too. [00:03:00] It's like network segmentation. Yes. But it's also identity segmentation. What can that person get to? We have people in healthcare too, that are in our organizations for 20 or 30 years and work in seven or eight different departments. And the whole challenge with. Deprovisioning them from resources they used to have and then reprovision them in their new department. All the work with hr. How do you guys deal with that? Mary Dickerson: We work very closely with HR and we manage, as the identity providers, we manage a lot of those relationships. One of the challenges being an academic and healthcare organization is the fact that. There are very few identities that are single identities because we have many students that are also, staff. We have many faculty that are also stu. I mean, There's, everyone has multiple roles, and those roles don't fit into easily defined buckets. So it's very important that we [00:04:00] understand what all the different permutations could be so that we can make sure we are checking appropriate access at every point. To make that happen. I also think that, cybersecurity has shifted over the last, several years. We were in a very preventative mode. You wanted to make sure that you were secure, that you weren't gonna get breached, all these things. And I think we've transitioned to the idea that it's not a matter of if you're going to, have some type of incident, but when, and the key to it from the organization perspective is. They don't really care. What they care about is the ability to continue to deliver services, right in the way that they expect that everything is functioning the way that they need it to function. So we've gone from prevention to resiliency, but the way that you get to resiliency is you have to really understand how everything is working, and the identities become a critical part of that because I need to understand everything that this one individual account could potentially [00:05:00] access. So if a bad. Scenario happens. I also know where to step in to make sure that those services are not impacted and the overall organization doesn't even know that something has happened. So it's really understanding all how the different pieces fit together to get to. Our goal is to continue to provide services regardless of the situation that gets us there. Drex DeFord: Gordon, it's also, it's not just the identities of the humans. There's a lot of other identities on the network now too that you have to deal with. Gordon Groschl: Yeah, absolutely. The, I would say non-human identities are definitely a, I would say, emerging threat. And I think threat actors are very much after those because it allows them often enormous amounts of access. Sure. Drex DeFord: Like service accounts and things like that. Yeah. Gordon Groschl: API credentials. And typically these credentials have massive access. Think about if you have a API into your EHR that is [00:06:00] connected to another application and the level of the amount of data that you can then easily ex exfiltrate without actually. Triggering any alerts because it looks like a normal data operation. So having an understanding and inventory of all of your non-human identities, where are they, what are they used for? Limiting their access is actually something that we work on very hard because it is definitely something that scares me a lot in this hyperconnected world that we live in. SaaS platforms left and right, APIs all over the place and data flying around from one point to another. I think there is a lot of work that is ahead of us and it's created a whole new attack surface that we're now trying to all I would say a control. And like with everything, it all starts with visibility. Understanding where your non-human identities are. What are they doing? What are they used [00:07:00] for, who has the control over them? And then limiting their access. And I think the key part in all of this. And then and that's a lesson I think that we started really learning at Texas students. When we ab, when we remove all, I would say the noise, what it all comes down to is the fundamentals. If you don't have a good understanding of what's all in your active directory. Yeah. And all the accounts and how they used and what's on your network. If you don't have a good asset inventory that is accurate with clear understanding as to who owns all these different assets and what's their purpose, you're gonna have a very hard time to do all these other things. Yeah. Zero trust, like securing those non-human identities. It's gonna be a struggle. And so you need to fix your fundamentals. Those core processes need to be, I would say, ironclad. And then you can start building on top of that. And so we spend actually quite a bit of energy [00:08:00] to really get a handle on, okay, what are all our identities? Have a clear understanding there of every identity in our inventory, what they are, if it's a privileged account, a non-privileged account, a service account, or other credentials. And then. Then you can start building on top of that. But until then you're gonna struggle. Yeah. Drex DeFord: We used to think a lot about that sort of inventory as mostly an equipment inventory. Now it's become an identity inventory. And as Mary kind of alluded to, a lot of it now is really. Knowing and understanding exact exactly how and when those things are connected. How's the neck bone connected to the angle bone? I Gordon Groschl: know right? In that Drex DeFord: network, in between the identities. Yeah. Gordon Groschl: A few years ago, this was a manual process, right? Technology. Like when people were working on this basically with lists and databases, right? I do think that technology has evolved, that you can use AI to help you with that, to, to make sense out of all the signals that you need to basically [00:09:00] build a solid foundation of an inventory and then make also decisions on top of that. It has gotten better. I think we're still I don't think there, we have reached now the golden, you know, state yet, so to speak, but I think it's not as bad it was even five years ago to get this done. Mary Dickerson: I think one of the keys to all of this though, is really understanding what is normal. As far as not only, Gordon, to your point about do you know what all the different. Things that are connecting to your network and all, but what is the behavior that you expect to see from these different things so that you can know when you see something that you're not expecting? And I'll never forget, 20 years ago, I was in a meeting and they were talking about. It was financial services and all kinds of other industries that were there. And the person from financial services, we were talking about password strength and stuff like that. And he said, oh, we don't care about passwords. And everyone was just like, oh my goodness. Financial things, you, and he goes no. What we do though is we [00:10:00] watch what people do after they log in because at that time he was explaining that a compromised account. He said, normal users when they log in. They'll check their account balance. They'll do a couple of things and then they'll transfer funds. But if someone was just really trying to hack your account, the instant they get in, the first thing they're gonna do is go start transferring funds. So he said, we don't care how they get in. We care what they do after they get in. And if it's not normal behavior, then it immediately gets flagged and our fraud team looks at it and everything he said, but. We know what a typical user will do. And now, very soon after that he explained, we know exactly what you will do because we know your behavior. But it's really figuring out what isn't normal. And I think that's where we're at right now. Whether. The identity is a non-human identity, or it's a person we're still looking at, are they doing what we expect them to do? Because when they start doing something we don't [00:11:00] expect them to do, that's when we should be paying attention to, is this a compromised account? Is this something that we need to be worried about? And that helps address the insider threat as well. It doesn't matter if you are the legitimate person that owns that account, if you suddenly start doing things that you shouldn't be doing, that should be not typical behavior. For you. And if we can detect that, we can respond to that before other bad things happen. Gordon Groschl: I think I to talk to my bank because they're constantly confused about my behavior rather than sending me text messages when I'm just trying to pay my hotel bill in California, for example. Clearly they, they're confused about what I'm doing. Drex DeFord: I've had to have a couple of conversations with my credit card company about how much I travel and how it isn't weird that I actually will be charging something in this city and then charging something in another city. They still look out for me. They still, I still get a lot of those alerts too. But I love that behavior, the [00:12:00] behavior analysis and all of this. Is this the machine they usually log in on? Are they going to the applications they normally go to? Is this the normal time of the day that they sign in? All of those kinds of things can pile into that. Ugh, you guys are killing me. We, there's so much stuff that we could talk about. I love it. I wanna go to the lightning round because this is also a little bit about folks getting to know some things about you. So you guys ready to do the lightning round? Sure. Mary says it with such dedication that she really, okay. Okay. Mary, imagine that you're making a presentation at a really big conference and they ask you for the song that you wanna walk up to the podium. It's 3000 people. It's a huge conference. What's your walkup song? Mary Dickerson: I think I would have to say standing outside the fire by Garth Brooks. There's a line in there. Life is not tried. It's just merely survived if you're [00:13:00] standing outside the fire. Plus I'm a volunteer firefighter, so it goes with my theme Drex DeFord: I noticed that in your bio and I was like, should I ask about that? Should I not ask about that? So before I go to Gordon with the same lightning round question, Gordon, you can think about this, but, mary is the volunteer firefighter. It feels so in tune to the CISO job. Is there, is part of this you're drawn to that because it's just, that's how you're wired. Mary Dickerson: It could be. So I was actually a volunteer firefighter long before I got into cybersecurity. And then the joke after that became, at least in my volunteer job, they give me appropriate firefighting gear that they don't, they don't issue to cyber professionals. Even though it's a very similar concept. At one point in my life I had a commercial driver's license. I was actually a bus driver in college. That was one of the ways that I put myself through school. And then my husband also had the same thing. And when we moved to the Clear Lake area that we live in [00:14:00] now they had a need for volunteer firefighters that could drive the fire truck. And so my husband started first and I decided it sounded like fun, so I did it too, but I didn't wanna only drive the firetruck, so I got certified as a firefighter to do interior firefighting, and I've done it for 25 years. So it's been a lot of fun. It's neat to serve your community and there are an awful lot of parallels between. Incident response that we do on an emergency management side and incident response that we do on a cyber side. So it's been fun to see the crossover between those two disciplines. They each have their adventures. Drex DeFord: That's amazing. Hey Gordon, so on your walkup song, I think, is this a question we might have asked you at a 2 29 project Summit? Did we use the walkup song? I'm gonna ask you, I'm gonna ask you again anyway. What's your walkup song? Gordon Groschl: Yeah. And actually I think my answer is different. I thought about it, right? And I'm a big rock music fan and I [00:15:00] like metal music. So my, my originally my choice was actually a metal song, and then I revisited this and I would pick Don't stop Me Now by Queen. Yeah, I like that. you can get stuff done, you can do it. It's a positive song. I would pick that it's, it's a very upbeat song and it's about, and it both, it resonates with me. I've always been somebody who liked a challenge in a personal life or career. And so don't stop me now is the speaks to me. Drex DeFord: I think that's a great walkup song. Okay, next question. Maybe this will be the last question. I'm looking at time. I don't wanna run us over. You might know some young people who wanna get into healthcare, cyber. What's your best advice for them and what's the worst advice they'll probably hear from other people? Gordon, start us off. What's the best advice that you would give them and what's some of the worst advice they'll probably hear from other people? Gordon Groschl: Yeah, that's a good question. I actually get approached quite a bit by [00:16:00] people that are like somewhere, senior high school seniors or in college or even adults that are doing one thing and they want to go into cyber. And for example, we partner with a local Houston organization and we have like interns in the IT department every year. And a couple of those are obvious cybersecurity interns. I always, the first thing I tell anybody, and this this just happened to me, I had a call with somebody. They reached out to me and said Hey Gordon, I wanna talk to you. I want to go into cyber, but I really don't know, how do I get there? And I asked them, okay, so what do you wanna do in cyber? And they were just like telling me that story about I'm not really sure and, maybe this, that, what do you think? And then I said before, before we take a step further, the first thing that I would, that I ask you to do is you need to think about this and then figure out what you're passionate about. If you're not at a high school or a college stage, right? Like you are 30 plus years, before [00:17:00] you're gonna retire. So you wanna find something that you actually like to do, that you enjoy to do, and that you're passionate about. And then, we can talk about how do you get to that goal, but first, define your goal. Do you wanna be a SOC analyst or do you wanna be. Identity specialist, do you wanna be governance, risk compliance? Maybe policies and procedures is what excites you, right? But first, figure out what actually excites you, what you're passionate about, and then we can talk about, oh, these are certifications or trainings you can take, right? To build core knowledge, expertise. Drex DeFord: What's the bad advice? Advice, yeah, Gordon Groschl: It's all about money, right? Oh, you should become, I don't know, a SOC analyst because there's more money in soc if you work in a managed service and et cetera. So I feel like. I'm a passionate person. I love what I do. I love Texas Children's, and I love my job, and I can say that I got lucky that I figured out along the way what I really wanted to [00:18:00] do it hurts me when I listen to people talking about. Focusing on the money aspect of a career because it's, it feels really so wrong inherently that you're just doing something for the money or you're trying to pursue something because there are more dollars in it for you. To me that's one of the worst advice that I've ever heard. Drex DeFord: I think you gotta have a job and you've gotta make a living. But for the people that have been really successful that I've seen, they actually love what they're doing. And they figured that out early on. They got into it and because they were so passionate about it and creative about it, the money came along with the energy and the focus that they put into it. I like that. That's good. Bad advice. Don't chase the money, chase the passion. Don't. Yeah, Gordon Groschl: be passionate and about what you're doing and have fun and don't chase the money. The money comes by itself. Drex DeFord: Yeah. Mary what advice would you give them and what's the most terrible advice you think they'll probably get? Mary Dickerson: I say the [00:19:00] best advice is to recognize that you have a lot of skills and you have a lot of experience, even if it's not directly in the healthcare field. There's a lot of things that are very applicable, I think partnered with that. The bad advice is the people that are only looking at if I haven't spent. 2.5 years doing this because it was listed on the job description, then I shouldn't even apply for the job because clearly I can't do that, and I have to get them to look at it from a different perspective. It's like everything that you've done, every job that you've ever held has led you to be the person that you are today. So figure out Gordon said, figure out what your passion is and if your passion is you wanna do cyber in a healthcare environment. Figure out how the experiences that you have supported you in doing that now. And a lot of times the experiences that people have will bring them a unique [00:20:00] perspective that an employer would very much like to have. And but you have to recognize that yourself first. So when someone says, what can you offer for this position, if you've only looked at I've only ever done this part of what you say you want, so this is the only part that I can do. You're really missing out. You're missing out on not only what you can offer that employer, but what benefit that employer can get from someone that's done different things and has seen things in a different perspective will bring more to that role than they may have even anticipated in the beginning. Yeah. So I think that the bottom line to that is recognize what overall expertise that you have and then figure out how that fits the job that you want to try to obtain. Drex DeFord: Yeah, I like that. What's the terrible advice that they're probably going to get? Mary Dickerson: I think the terrible advice really is if you haven't done this, then you're not qualified. Ah, I see. So self-selecting themselves out of I've never had that role, so I [00:21:00] can't do that role. I think that I could probably look at a million different other fields. That I've never worked in before, but there are common elements to the things that I have done, and so I think people self-select themselves out of something that could be a really awesome opportunity. As Gordon said, it might be that one thing that gives them a whole bunch of excitement to, to go to work and do, but they may self-select out from even applying for that because they haven't already done. Whatever they think that position calls for. Drex DeFord: Yeah. If you don't ask, the answer is automatically no. And the other part of that really is the you just, you all of our jobs boil down to, are you a nice person? Can you get along with others? Can you build collaboration? Can you solve problems? Are you really good at solving problems? 'cause there's a lot of problems. If you're good at that, there's a lot of opportunity for you. So focus on kind of those skills. Absolutely. I like where your head's at, Mary. Gordon Groschl: Dr, do you mind [00:22:00] if I share a pet piece of mind that is related to what Mary looks like? Please do. Drex DeFord: Yeah. Gordon Groschl: And this is something that personally aggravates me fun, like fundamentally, how many of you have seen like job postings for entry level positions? And this speaks to what you're talking about, Mary, where they're saying like, I'm looking for an entry-level security analyst, right? With 10 years of experience. Three certifications and I don't know, ideally a master's degree. And that's not, I know, but the, that's what the expectation is, right? And when we then think about the talent shortage, I think we're, in many ways. Organizations are their own worst enemy. You're not giving people a chance. Drex DeFord: It's like you almost don't really wanna hire that position. Gordon Groschl: Yeah. You're creating a, you're creating a golden unicorn that doesn't exist, basically. And you're also, and this speaks to what you were talking about, is like not everybody has to have a degree in [00:23:00] security and five certifications and years of experience. Right? There is a lot of value in coming from other areas. And having a baseline knowledge. Somebody who has an interest in computers maybe did some entry level courses or certifications, can't be a super awesome junior analyst that can really, take a totally different perspective on things than let's say somebody that's been doing this for 15 years. And I've seen this in other, in our organizations, as a matter of fact, where we. Really started hiring college grads and sometimes even high school grads into junior positions. And they brought a completely different level of energy and a different perspective to things that was that challenged everything that we were doing in that space, right? Or the topic that we were trying to accomplish. And it's really refreshing and I feel like we're making this way too hard on ourselves as a country. When we talk about cybersecurity talent, Mary Dickerson: I agree. And I would also say, [00:24:00] one of the challenges is working with HR departments that. Are not as well versed in what cybersecurity could be. And we deal with a lot of the we require a bachelor's degree in computer science and it's like that's a small part of what we do as part of cybersecurity because we've got policies, we've got things that are much more on the art side to some of the things that we do. Our awareness campaigns are marketing. And so when you look at all those different pieces, the idea that the only degree that works for cyber. Is a, bachelor of science, it's computer science and something like that. And to your point, Gordon, do you even really need a degree now? If you have expertise and you have certifications that show, you know on the job, practical stuff, do you really need that piece of paper that says that you graduated with a certain body of knowledge? Perfect example I can give of that is. We actually hired a former band director. His degree is in music, has [00:25:00] nothing to do with cyber. He has earned 16 certifications, high level certifications in the last two years that he's worked with us, he is one of our most qualified analysts. But if you went back to the very strict definition of what HR was looking for, he would've been screened out before our managers ever even saw him. And so I think to point. Cybersecurity is a very complex and continuing to evolve field, and we have to look at anyone in this space as a potential person with whatever expertise they have and not automatically rule out people that don't fit a certain cut cookie cutter image that isn't even applicable anymore. Drex DeFord: I don't even know what to say after that. We, there's so much, like I said earlier, there's so many things we could talk about. I hope you guys will come back. I'd love to have you both back and we could dive into all the other things we didn't talk about today. I really appreciate you being on the show today, Mary Gordon. Thanks for being [00:26:00] on. Mary Dickerson: Thanks, Drex. This has been, thanks, Drex, a fun conversation. Gordon Groschl: I know it's a fun, fun way to ease into the afternoon. So thanks, Drex. Drex DeFord: Thanks for joining on UnHack. Remember, we're not alone in this. Every healthcare leader needs a community to lean on and learn from. Join our community at this week, health.com/subscribe and share this not only with your security crew, but with your entire leadership team and staff. Together we are stronger.