This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

Don't leave your devices and your patients exposed. Visit thisweekhealth. com ARMIS today to learn more.

today on Keynote,

Mick Coady: (Intro) if you've got crappy processes and putting a technology on top of crappy processes,

nothing good will come. Technology in certain cases can cause more problems than it does good.

I'm Drex DeFord, a recovering healthcare CIO and long time cyber advisor for some of the world's most innovative cybersecurity companies.

Drex DeFord: (Main) I'm really glad you're here. This is the webinar you've been looking for. We're gonna cover Security is Efficiency, Cyber Resilience Strategies for the Future of Healthcare. And today's webinar is sponsored by the good folks at Armis.

Thank you Armis. I'm Drex Deford. I'm your host today the cyber and Risk guy at this week, health and the 2 29 Project. And if you would hang in there with me, we're gonna give folks a couple of minutes to show up late. Because it seems like that's just the way things work today. Everybody's on a little bit of a late clock meeting, ran over, had to hit the bathroom, all those things.

Sidebar. There's a q and a. Tab for that. I have James Bowie from Tampa General is one of our panelists. He's the CSO there. And I'll ask you guys to do a quick intro here in a couple of minutes, but while we're waiting for folks to join, here's a goofy question. I'll start with you James and Mick i'll do a quick intro on you here in just a minute.

You've been in it for a while. What was your first computer?

James Bowie: First computer I would call mine, holy As my precious was a 3 86 SX and all 16 megahertz of its glory.

Drex DeFord: Ooh.

James Bowie: And it's been a downhill experience with computers since then.

Drex DeFord: Is it? Because you could get your hands inside and do stuff in there,

James Bowie: do it all and thing every like, yeah.

It was just a great, I remember just the wonder of like being in dos and being in the bios and what does this do? And, oops, I just fried that. Let's do that again, you know? Yeah. It was a lot of fun

Mick same question. What was your first computer?

Mick Coady: Commodore 64 with the tape drive. So there was the original that I kind of had in school. We had the Apple 2e's, if you remember those that did an original

Drex DeFord: function

Mick Coady: of basics when that was back in the early eighties, and that's how I kind of got my start.

But just like Jim, it was kind of easy to kind of navigate what you were doing. I mean, I don't know what versions. Later on after we got into the late eighties, early nineties, we started getting into dos away more harder. So it was interesting how that worked out.

Drex DeFord: Yeah, that is the correct answer.

Commodore 64. That was my first machine too, with a tape drive plugged into a little black and white tv, I think, if I remember right. Well, it's a couple of minutes after we're gonna go ahead and start, as I said earlier, this is the webinar.

Mick Coady: Good to see you again, Drex.

Drex DeFord: again to the audience.

Thanks for being here and thanks for submitting questions when you registered, and of course, thanks again to Armis for sponsoring this. And a quick thanks to Holly, our producer, for keeping us on the straight and narrow 'cause webinars don't happen without the magical person in the background and that's Holly.

So let's do some quick introductions. Jim, why don't you go first?

James Bowie: I'm Jim, I'm the CISO at Tampa General Health System. I've been here for about two years. I was at Moffitt Cancer Center before that, and then I was actually at Tampa General Health System before that in a couple different roles.

And prior to that I was in law enforcement.

Mick Coady: Yep, Mick Coady.

I am the CTO and provide executive oversight for the healthcare delivery organization here at Armis. I just celebrated my two year anniversary on May 1st. I am a former retired partner from PWC. I have spent about two thirds of my career with KPMG, Deloitte and pwc. So I've been in the consulting side of the world.

So I just recently joined ARM to come in and help them kind of focus an awful lot more on working in the healthcare space. I've been working in that space for well over 20 years. Been in the IT and cyberspace for close to 30 years.

Drex DeFord: You also have a really interesting background, and if you ever get the chance to sit down with Mick, that's another thing you should ask him about.

How'd that go for you?

James Bowie: Well, that was my second one and I absolutely love them. It is the best. Download of information you can have. You're there with 10 to 15 other CISOs in healthcare. Same challenges, same issues. How are they solving it? How are you solving it? You can see what you're doing right and what you're doing wrong.

You come back energized, you make connections forever. It's just an amazing experience. I highly recommend it to anyone who can do it.

Drex DeFord: Yeah. Thank you. I appreciate that. In that conversation, it's clear that Tampa General has come a long way in a fairly short amount of time, and I know that efficiency is one of those things you're always looking for in the solutions that you implement.

James Bowie: So before I was in law enforcement, I was actually an EMT and I think that actually lays well into being a CISO or being a cyber team especially in the middle of an incident.

And the first thing you gotta do is triage. And to do that, I had to figure out what I had. Asset discovery was the first on our list, and then asset exposure on top of that. Once you had the assets. Then from there you triage like, well, this is the biggest risk this I need to address. This is where we need to coordinate our efforts.

Rallied all of it. I had to, with that asset discovery, did figure out what leaders, what servers belong to, what leaders, and hey, you're responsible for this and now here's where I need all of you to focus your efforts on this, and this. And it was really good. The organization came around very quickly and was very helpful.

So we were able to remediate a bunch of, hygiene issues very quickly. With the help of Armis actually in helping us discover all the things we had out there.

James Bowie: Yeah. So if you. Just look at a list of your assets and what their vulnerabilities are, or just a list of your assets and what you have to do. You will go insane. I think every one of us can look at a dashboard and say, oh, we have a hundred thousand of this issue. Right? And you're just like, oh God, what do we do?

That's where the triage part comes into it. That's where, the vendors or your tools can help you lay out like this right here. This is your main problem. Like you have this exposure. Now when it comes to operational efficiency, they can also do things where they may think they're out of IV pumps or they may think they don't have enough bladder scanners, and you can be like, no guys.

You'll have 15 of 'em, but you don't need, like, I can see them, they've been on, they've been sitting there, no one's using them. So there's a couple hundred thousand for you. There's some efficiency on that front that helps you become an ally at that point too.

Drex DeFord: It's amazing how good.

James Bowie: They're great squirrels. They're really good at it. Yeah.

Drex DeFord: Mick, you're in the field every day and the, one of the things I love when we sit down and talk is that you have so much great experience because you spend so much time with so many different people at different health systems. There's a lot of security tools, a lot of organizations have never met a tool they didn't like or want to buy. What have you seen on the efficiency front, how are healthcare orgs driving efficiencies and operations?

Mick Coady: There's a lot of different things that go into that, right? And obviously, you know, I wouldn't say I've lost my objectivity coming over to a specific company.

But, you know, he was talking about certain things. I think what's very interesting is watching how, I know you and I have had done a couple of dinners recently where I've thrown this out as a kind of a random question, which is our friends in procurement, right? Where do they stand? Like Jim had just kind of alluded to.

I find it very interesting that like, when it comes to it and med device type procurement lifecycle or asset management in general, where we sit in the chasm of what we're supposed to be doing to supply to that. So I would say there's one aspect of operational efficiency that can be gained there.

One. That definitely has cost ramifications, right? We are talking about that from a perspective., My eldest daughter is a North Star also, and, you know, I've asked these questions. She's on a med-surg floor at night and she's doing these things and I've told Jim this too, and it's just kind of, it's kind of funny.

We we keep the good ones in the closets, right? And I'm go like, what? I go like, what are the good ones? And it's just this kind of conversation that clinical people on the floors have these conversations and it is kind of interesting. So when you're looking at it, that's just the way it is,

Right? I found eight of these on, on, on an ICU floor. I found another four down on the er. You know, we have over 12 or 13 of these things before we go spend $1.2 million on more infusion pumps. Why don't we make sure that we saw these things six months ago when they came online. Now there's only 24 of them.

Where are the other 14? Or where are the other 13 of these? Right. So, it's definitely part of that, conversation. The other thing too, when it comes to is, Jim alluded to this also, is how do we start creating levels of automation around remediation, right? And organizing that more effectively.

Why do you even want something like what we do or even some of our network components of our relationship partners that we have with endpoints and all these other pieces. How do we get to that point of driving operational efficiency, but also driving better cost, you know, outcomes and ultimately from what Jim was saying, how do we get, you know, fingers out of the pie and create levels of automation on how we go about fixing things and kind of shifting left and close the remediation gap timelines that seem to kind of, they always falter in that area.

So that's where I definitely feel like I want to push and help and work more effectively either through consulting workflow. Putting a technology on top of that consulting workflow that is is gonna be good. But if you've got crappy processes and putting a technology on top of crappy processes, Jim and I have had this conversation numerous times.

Nothing good will come. Technology in certain cases can cause more problems than it does good. Yeah. So that's kind of like the bigger, you know, sphere of what I tend to spend my time talking to health systems about.

On top of a process that is a train wreck just gets you a really fast and efficient train wreck. And that really isn't what any of the technology projects that we're doing is trying to accomplish. Jim, there was a lot there that Mick talked about. One of them, you know, part of it was tied to your procurement team and the conversations around procurement.

Tell me how you have used technology to help them be better at their jobs when it comes to acquiring more assets, when maybe more assets are needed.

James Bowie: The first step to that is hopefully you can get ingrained with your contract people. Because if you can stop before anybody signs anything you can be much more effective and much better ally than after someone's already signed a check and they're coming to you and like, Hey, I wanna put this widget on your network and you're gonna be like, I don't think so, scooter.

James Bowie: Yeah. And if you've, if you've gotten into that, not only do you get to strengthen your cybersecurity posture because you can interject things in the contract that you want in there and that the vendor has to meet these requirements.

But at the same time, your GRC team, which is the team that does it on our side becomes so intimately familiar with everything that's in the organization. They're gonna be like, Hey, why are we buying more spoons? When we have spoons, and it's not your job to be the police, but then you can go to procurement and be like, Hey guys, y'all know you already have a spoon.

You don't need, you don't need this spoon. You have a spoon right here. Right? Yeah. So, that helps you become an ally of procurement. Then they get more engaged and make sure when someone comes to them with a project, they'll say, have you talked to cyber yet? And gotten a clearance? Because it's a good feedback loop.

The more you help them, the more likely you're to get buy-in into your security process and your assessment process.

There's certainly efficiencies there, right? That mean there's not something bought, and then you have to figure out how to retrofit everything else that you have to make it work and be more secure, right? That's part of it.

James Bowie: Yep. It doesn't always work. They don't, you know, I mean, I'm not, we're not perfect.

There's still some VPs get happy and sign things without even caulking the contracts. You know, we have to work with that. So you have to be quick on your feet. But yeah it's definitely helps with the efficiency and it helps. Your board loves it. 'cause now you're helping save money and your CFO's a big fan of that from what I hear.

Drex DeFord: Mick, you're looking not only at the number of assets that you have that an organization has on their network and connected to their network, but you're looking also at like how those things are used. Right? That's also a great opportunity for efficiency improvement.

So I would say there is a huge challenge that's put towards us and many in our space. To provide utilization levels of information, right? So if you're using what you're using on a set of pumps that are sitting on a clinical floor what are they being used for, right? What does the consistency of them whe whether it's, you know, being used for morphine drip or you're using for this, what are the drug libraries look like?

How do we organize some of those pumps more effectively to be used in a consistent way? Some of them are gonna be much greater degrees of utilization than others are. How do you manage that disparity? Right. In the imaging space, that happens as well. You know, it's not uncommon to see that you may have 6, 7, 8.

CT imaging type, you know, machine sitting across the network, we can quickly determine, okay, hang on a second. You're at almost 80% capacity on four if not even 90%, but over here, these other three or four, not even barely at 10%, what's going on? Why is there such a disparity? So.

We need to take this back to the chief medical information officer, the CMO, and go like, Hey, we might wanna rethink. How we're doing imaging, right. We may want to maybe break it down by body sort. You know, would it be interesting to take a look at it and if we were not having to rotate the patient every 30 to 45 minutes, as you move them from one section of their body to another, what if we allocated the machines to a particular body type?

So when you're scheduling the CT imaging of the day, which tends to be very long, elongated kind of a process, right? Do I look at head and shoulder? Do I look at thoracic? Do I look at hip? Do I look at knee? Do I look at ankle? How do I break down the functions of it, and do I allocate the boxes that way?

It's a byproduct of what we do through visibility. But it is absolutely, we have enormous clients across the country that are asking for that. And I'm sure they're asking our peers in this space as well. Like, you know, I, there's a huge community of us that wanna do the right thing by our clients.

We're not the only ones doing this by any standards, but that's the kind of the new entree into what we, what people are expecting from traditional visibility versus really pushing the gamuts of what you wanna do for utilization on the asset.

Drex DeFord: So, I mean, that's a great connection to the clinical folks, and I wanna remind folks who are with us, if you'd like to ask a question, please feel free to pop over into the chat and ask your question and we will build those up.

Holly's gonna keep me squared away, our producer, and , we'll ask your questions a little bit later in the webinar. Jim, kind of down the same path. It's great to know what you have and what patch level it's at and how much it's used. Are your clinical engineers pulled into this too?

James Bowie: Yeah, absolutely. Every device we get, we tag to a team, right? So it not only just clinical engineers, but all of IT. So when we're, what helps us from a cyber incident perspective when we're seeing something weird or, you know.

A imaging machine's reaching out to Russia for some reason. Now we can very quickly figure out where to go and who to talk to. It's like, Hey, did you know this x-ray? Is that normal for it to talk to Madagascar? And no, normally answer is no. But a lot of times before we had good asset management.

discovery and could see that traffic we would have to scramble for a while. 'cause most organizations guessing just the ones I've been at too are not great at tying an asset to a team that knows it or an excerpt. So as a cyber team, you're running around trying to find SMEs or subject matter experts about this thing.

Right. You don't wanna shut down a ventilator or some sort of cancer treatment product, so then you've gotta get on the phone or on the horn with somebody in the unit you're at. If you've done your location ting correctly and pulled it in through wherever it's at and be like, Hey, can I shut this down because.

We'll deal with the cyber threat or even just the IT issue, but we don't wanna cause an adherent event on a patient or hurt somebody.

Drex DeFord: Yeah. Oh yeah. I mean, so let's go down the resilience path here a little bit. How do you define it at Tampa General and how does it affect your decisions around how you're managing assets and prioritizing work and creating efficiencies?

Can we still provide the help? We need the help. And that's what it comes down to. At the end of the day our definition of resilience is, can we meet diverse and critical challenges while letting operations continue to flow and treat the patients, and treat the customers because if they're the most important thing.

And if we can do it in a way that they don't even know something's happening, that's like the top level, like you're at the top of whatever pyramid you wanna call that. Right? If you do it with a little bit of interruption, okay. And when you get into downtimes, that's when you no longer have resilience.

So really at the quick definition of it is, can we still treat people effectively and safely and whatever, however, it would fold into that

How have you seen organizations build speed into the new model so that they can catch this stuff? As Jim sort of talked about, catch this stuff, kill it so that for end users, it's like nothing ever happened.

Mick Coady: Yeah I think some of that goes back to the influx of how you manage all of the different tool sets that people are using, right?

We're just like one of, you know, several that Jim has to manage through and everything else that goes into it. So when you look at this, it's how do you effectively build that chain together that gives you the information at an expedient level. That allows you to make these decisions quickly.

Right? So some of the other parts and pieces of what we're finding too is how do we get out ahead of even CVE scoring, right? What are the, a aspects of what we're doing around the threat intel space around, okay, fine. We know that isi.xe, you know, 18 months ago was a three. Today it's an eight.

Like cyber ops sends to all this stuff falls right down back onto our shoulders every single time when we're trying to do this bit of work. But what actually should be evident is that we're able to, to span the work out to the right individuals. There's no one in cyber ops gonna go out and jump on

and grab a USB stick and go update, you know, an infusion pump, right? That has to happen with the clin or the biomed squads or what they do. Network infra has to have a role. Endpoint has to have a role. All these people have to have a role when it comes to taking care of images or all these parts and pieces.

So when you look at resiliency I think what has changed from it's all cyber ops and it's all of our problem, and it all falls onto our thing, and then we redistribute everything back out. It's now you're operating as a completely different style of a unit where everyone's already involved together and basically we already know what the roles are because to his point, we know who's communicating to that asset on a regular basis.

Hey let's isolate this, or Right click ACL let's block hold for a second. And that level of intelligence is where we're trying to get to. And I believe in certain cases we're getting to that. I know we're definitely producing some of that and Jim is pushing us again to the edges to kind of get to that.

So to shut it off before it even begins, but. I think as a community, that's where we've gotta kind of get back to it. And I know, you know, there's been recent conversations around where the CVE scoring is going, what CVEs are doing in general.

James Bowie: I mean,

Mick Coady: those were also written, you know, 8, 9, 10 months post them even.

And I think what gets lost and recently I've had different conversations with CMOs and CMOs. Where the air conditioning system if that simple thing, there's a PLC that's faulty on, on an air conditioning system right. That takes down a surgery center up and down for a six week period.

How much revenue do you think is gonna be lost when you're doing that? Mm-hmm. We don't necessarily think about it in the traditional cyber resilient thing, but I will tell you it's not uncommon for a CMIO recently to kind of hand me my rear end and remind me of my consultant or background, which is I run a hospital.

I'm looking at operational resiliency. Cyber is just one part of it, right? I need to run a hospital to keep it up and going, you are a part of that. But if you've got the ability to provide me asset visibility into a PLCs failing on a train air conditioning system, I need to know that, right?

That's gonna impact how I run my surgery center today. And it's just something to keep in the back of your mind.

Wheel around and ask questions about, we're having this problems, can you tell me anything about what you might know why we're having this problem? Yeah. You see that from time to time too?

James Bowie: Yeah. The best part about a cyber program, if you've, and this helps you align and get more funding for your tools or whatever it is you need to do, or even just the infrastructure alignment, we join.

I mean, everybody should, but we join any of the downtime issues before they're even issued. If someone's troubleshooting, we're happy to help because you are the collective intelligence hub for an entire IT organization. If you're running your cyber program to the ability that you can, obviously, some people get stuck.

Drex DeFord: know everything about everything now.

James Bowie: Yeah. So bring, if you wanna get collaboration quickly and or funding to your environment, start helping them out. Give them access. There's way in every one of these tools that I can think of, there is a way to give it access without giving 'em information to sensitive information so they can't. See what the CEO's surfing or whatever.

But you can give them the information that they can go in and start troubleshooting things as well. There's a bunch of cyber tools that you can watch every network hop and see exactly where the issue is very quickly. And now in an industry where not only is minutes millions, but. Patient health and safety is at stake because when you reduce efficiencies for operations, they make mistakes.

You can't do this. And you wanna talk about speed too, and I'll get you this article I read late last night. There was a group, they released a CVE. You know, CVS get published ahead of time. Not the results, but like the number and like a subject, right? Found a CVE, went to the product, asked the AI to analyze the product with the CVE, and the AI is like, oh yeah, here's the vulnerability they must have found.

And now you, before the vendor has a chance to publish or do anything, the AI has figured out the problem. Now you have a true zero day without a patch. Talk about needing to be ahead of your environment for watching, not just for known things, but for behavioral issues and equipment. Like that's what scares me and keeps me open right now.

Yeah.

I mean, you know, realistically, this is all part of a zero trust. Approach let's not call it zero trust. 'cause for some reason it just has, like, it's one of those words that, you know, people click out, maybe when you start talking about it in, in some environments. But buzz, that idea of that's what you're looking for.

Mick Coady: Yeah. It got buzz worded to death, which is a shame because it ultimately leads to macro microsegmentation, which leads to more responsibility. Right. Ultimately what you're doing is you're assigning responsibility to the people actually need it. To get their work done, but it also builds 'em into the collective of what Jim said about the intelligence of it.

And that's the thing, right? You look at what we look at from intelligence or threatened tell feeds or all these other kind of things, that it's not just having a vulnerability and according to A CBE, it's a vulnerability. How much is it being exploited? Yeah. Right? Yeah. The exploitation of that is what actually matters.

And That's the better intelligence and that's the better and more quote unquote use of your time with your team. Instead of them chasing whack-a-mole all day long and everything's red all the time, and screen fatigue occurs and then you know, things get missed. That's when the things get missed and things start to, to get left behind

Drex DeFord: When you know what you've got and you can come up with a mitigating circumstance.

I mean, it kind of rolls back to the idea that it's a lot of patching if you do it, but you don't necessarily have to do it depending on how you're managing that inventory. Correct.

Mick Coady: Yeah. Right.

Drex DeFord: in a similar vein I wanna make the switch to the idea of the organization going through transformation initiatives.

James Bowie: So I'm gonna take a step back to that in order for the operational non-IT slash non cyber people to even want to have that conversation with you you have to teach them the importance of cybersecurity.

And if you teach it to them in a frame of here's how you can help the organization, they may or may not care, right? Just humanity. But if you teach them how to be good cyber stewards at home, that same behavior is what you need at work. So if you get the buy at home and they realize, oh, I shouldn't store passwords and browsers, I shouldn't store, you know.

My dog's name as the same password in every site. And they'll carry that over into, to your environment. And now they're healthy. They realize how danger it is and how easy it is. And then they'll start to involve you much sooner. Right. Which is what we're talking about there.

And dollar signs, they don't care about CV numbers and they don't care. You know what a LLMR attack is, or passing the hash or stealing tickets or whatever. They don't really care. I mean, they care about the outcome but not how it works. So if you can tell them, Hey, that thing you want to do exposes us here and exposes us by this much money, everybody speaks money.

It's just how it works. And by doing that, you've now helped them make better decisions. You're not just the nobo again, you're now an ally. Like, here's the two or three paths we can take and here's how much risk that exposes us to. And usually they'll come to the same decision you want them to, but they'll think it's their idea, which is the real trick.

I mean, I think it's a great approach to this because you are speaking a common language than everyone has. How did you come around to this idea?

James Bowie: Actually I got a credit Dan Holland, who's one of my deputy CISOs, and I was having a conversation with him and I was like. The way we do metrics as CISOs is really bad.

Like we're, we go in front of these boards and we talk to about, meantime to triage and meantime to resolve, which are great numbers for CISOs and cyber ops to run. That's how I fly the plane, right? They don't need to know the altitude of the plane. They just need to know that you're getting 'em to Albuquerque safely.

So I was like, what's a better way to talk about this? And he talked about fair camm, it's an open source standard. There's other ones too. We're not going down one method or another. That's more viable or not. But at the end of the day, you're running simulations on, you know, you may run the simulation 10,000 times.

Drex DeFord: simulation language and all of that.

They've all heard it before, right? Yeah.

James Bowie: Some cyber people their eyes might be rolling in the back of their heads, but speak their language. People, you'll get much better results than trying to get them to speak yours. There's third party software that'll do it. You can do it yourself.

You can get really micro with it if you want. One thing we did is we had an imaging system that was out there and we just couldn't get traction on patching. And I couldn't get traction. Couldn't get traction. Finally, we just, on that imaging system, we said that imaging system is ex is exposing us to $7 million worth of risk.

Can you please patch your system? And I sent that to all the VPs and what, you know, the next day they're like, Hey, we actually don't even need that system anymore. But it was a fight up until that point, right? So now you've just mitigated that risk. You can go in front of your board and be like, we were at making these numbers up, just case any lawyers watching, we were at $50 million of risk and now we're at $25 million of risk.

But there's a lot to it. And we can talk for hours and I can summon Dan in here. If I say it two more times, he'll pop into the room next to it. But the it's just, it's, it takes a while, but it's well worth it. You get so like. The board when I started shifting 'em off of that the board was just ate it up.

And one of the things I had to get there was talking about survivorship bias. And here's the metrics you're used to seeing that CISOs give you. I'm not downplaying those metrics. They're important to run your cyber operations program, but the board does not give a rats about it. They roll their eyes, roll in the back of their head.

I share my team. This, I show the board this. There's that picture of the plane in World War ii and it's got all the red dots all over where the, that's all the planes that landed and where they were getting hit. And the military's like, well, where do we put armor? And they reached out to a statistician named Abraham Wald.

And he's like, no, you want to put armor? Where? Where you don't see anybody landing where there's nothing hit. 'cause that's what the inside engine, your pilot, like this dot matrix. Yeah. Your

Drex DeFord: initial reaction to just say, well, that if that's where all the bullets are going, we should put armor there.

But the reality is. Completely upside down from that. Yeah. Kind of initial thinking. Yeah.

James Bowie: Those are the ones that made it home. Right. So you need to focus where you're not getting the bullets hit. Cyber operations teams are really bad about doing the same thing with their metrics.

So the way to survive that is to simulate an attack, get a third party to do a purple team. You can call it a threat assessment. You can call whatever you want. Have them take four threat actors, go after your environment, give them a computer, give them a server. Do your worst. See back to detect respond, remediate, see how quickly you can detect it, how quickly you can respond.

And then from there you turn that into risk want and say, this is our exposure based on that.

Drex DeFord: It's really interesting. I mean, your analogy too of like, flying airplanes and what do the people in the back of the plane wanna know versus what do the people in the front of the plane need to know?

Right. Hundreds of dials and switches and knobs and readings. But the folks in the back of the plane just wanna know, we're landing safely and we're landing on time and we're taking off on time. And that's all I really wanna know and I'll dig into it with you. You know, we can talk about tire pressure later if we need to, but, right.

Yeah. Mick you see a bunch of folks talking about the same stuff. Does Jim have a unique approach to doing this, or are you seeing a lot of folks thinking about risk quantification in that way?

all of the inputs correctly to get to a monetary thing. So coming back from the old big four days, that's what the board want to know. And to be honest with you, that's, he's correct. They want to know something in English. And again, it falls into what I had talked about earlier serving, are you saving me time?

Are you saving me money? I. Or are you changing my risk aperture? And if you're changing my risk aperture, show me how you're doing that, But I don't wanna know, just as like you said from a perspective and, you know, I have an aviation background as well. I don't need to know what's going on with the acar system in the cockpit.

I don't need to know what's happening with. The people just need to know, okay, are you on time? Are you not on time? It, sometimes it's just sounded, if you look at the way the airlines use their own metrics, right? It's they're measured on time arrival or not on time. It's not a huge set of metrics that they're gauged on when you look at the stars of it.

And he's definitely further ahead than someone that I've seen. Now. There are plenty that are catching up and doing it the same way, but I like the style of who he is got to it. By the way, there is a q and a kind of thing that popped up in there. I don't know if Jim and I want to take a stab at that one.

Drex DeFord: Thanks for bringing that up. How does this solution, and I think they're talking about Armis here, how does this solution compliment or conflict with the task management happening through ServiceNow or other enterprise wide workflow systems?

So, yeah, Mick, take a shot at that.

Mick Coady: Well, both Jim and I can talk to this, but basically what it does from a complimentary perspective is particularly when it comes to orchestration. I'm an ITIL Foundation guy, so I can talk to this from a traditional service management perspective, but if you look at the workflow of traditional asset management and how it's managed within ServiceNow, it is basically the other source of truth that needs to be run in parallel, that generally in any one of, not just from an Armis perspective, all of us who sit in this space.

One, we're capturing the asset information. I would say ServiceNow. The ITOM module is a good module. It does what it does, but it's also very clunky when it comes to doing discovery. You'll find that the people who play in this particular space, when it comes to med device, ot, and IT in a hospital system, we can fill out the apertures of detail.

Down to layer seven, whereas ServiceNow will struggle to deal with that. So the complimentary overlap is one, we can fill out the fields in enormous amounts of detail that we feed directly into that CMDB. But then onward going is when we find these vulnerabilities, we find these issues that need to be remediated.

The way that creates automation or keeps the human fingers out of it. I dunno if you want to add more to that, Jim or not, but

James Bowie: Yeah. One, Mick is absolutely the man to talk through with that. Like anybody who could sit down to him and talk through workflow and exactly like just listening to, he's way more articulated about it than I am, but I'll do it in a simple Georgia boy.

Like my take on the situation I have Internet Explorer. I want to get rid of it. I'm in the product. I click a campaign. Show me all the computers, internet Explorer, I hit a button, it sends a ticket to every IT team that has an app or a server with Internet Explorer on it. It's constantly watching it as they're patching it.

It's seeing the tickets are closed. It's saying, yes that's good, because believe it or not, it will just close tickets without remediating an issue sometimes. So we open it if it needs to. Right. It's just, you don't, your team is not sitting there all day being like, Hey, where are we with this?

Drex DeFord: it. That's a winner. Thanks George. Pappas for that question.

Yeah, thanks. I got. I get another question from this was from the registration bucket, kind of a little, not totally off topic, but people are wondering what GRC tool do you use Jim?

James Bowie: A bunch actually. Excel is the main one. Microsoft. No I can't. There is a big part of it. But we use cybers Saint Safe Process Bolt and believe it or not, and Mick might roll his eyes of this Armis

we consider a GRC tool and we actually pump the information we get into the Armis into those tools and they're helping us keep track of the risk exposure based on it. And we can go in and start running our maturity models based on it and based on, you know, do we have the right protections?

Drex DeFord: run through it. That's great. I appreciate that.

You know, last question for Jim, given limited resources. How do you go through the process of prioritizing security investment decisions?

James Bowie: There's two things I do. One my team asked me if they want a product. I. If they go through it, they buy the product, I then go back and make sure they've logged into that product after six months and then it goes away if they haven't, right?

That's the easiest litmus test if you're dealing with the, with a certain budget. The other part is we use the risk want, honestly, and, but it's from a different perspective. I'm trying to use an explorer. Or TLS or you have something using SSL version two or something. I dunno. You if you have an issue, it's more issue based.

Or remediate. And it's just triage. And we start with the big chunks. Now, I don't want this to sound like a commercial. Armis has that built in too on their remediation, not the quantitative part of it for the, from a dollar perspective, but they actually will score all your stuff from not just a CVE score, but from a, this is actually being attacked

we recommend this stuff score. And we, it's pretty much, if I risk qu that. It matches up like line for line. So then it

Drex DeFord: kind of self builds your ROI

James Bowie: Mick, do you wanna add anything

Mick Coady: we've decided to add some other things I think an awful lot of the systems like yourself, right?

You've seen the new age of where we're going with this. And again, like I talk of the community as a whole. It's not just about us and it's certainly not a commercial. I appreciate you saying that, but at the end of the day I know what our competitors do in this base, and what we're trying to get is for everybody, right?

That all of that kind of mels together, that you're getting the best, bang for your buck on what you're doing with the tooling that you acquire. Right, and I agree with them. There's, it's not uncommon that you find, you know, we have application level data. When it comes to things, if I see that there are DLLs or exes that, haven't been touched in six months

why do you even have those? Right? Why is that application or, that technology, even in existence, it should be outta your environment, right?

Drex DeFord: Hey, thanks. Unfortunately we are out of time. So, I'm gonna call it, this has been Security and Efficiency, cyber Resilience Strategies for the Future Healthcare Webinar with James Bowie, the CISO at Tampa General Hospital, and Mick Coady, the CTO at Armis.

Thank you fellas for being here today. Hey, you guys are quiet.

Drex DeFord: thanks to everyone who joined us today. We appreciate your questions and your participation. And again, thanks to Armis who made the whole thing happen.

We appreciate the incredible relationship that we have with your team. I'm Drex Deford from this Week Health in the 2 29 Project. Once again, thanks for being here and it's cybersecurity, so stay a little paranoid and we will see you around campus.

Thanks for listening to this week's keynote.

If you found value, share it with a peer. It's a great way to discuss the issues and in some cases, even start a mentoring relationship. One way you can support the show is to subscribe and leave us a rating. That would be really appreciated. Thanks for listening. That's all for now.