We just completed another 229 roundtable. This time it was CISOs. Drex and I report out.
Today in health, it we're going to talk about the CISOs world. My name is bill Russell. I'm a former CIO for 16 hospital system and creator of this week health. Instead of channels and events dedicated to leveraging the power of community to propel healthcare forward. We want to thank our show sponsors who are investing in developing the next generation of health leaders. Short test artist, site parlance, certified health, notable and service. Now check them out at this week. Health. Dot com slash today. If you want to help us out. One of the best ways to do that is share this podcast with a friend or colleague use it as a foundation for daily or weekly discussions on topics. That are relevant for you and the industry. They can subscribe wherever you listen to podcasts. All right. We just finished a 2 22 29 project Cisco event. And. , we are, , actually I'm still in the room. I'm in the room. I'm looking at Shauna Hofer. I'm looking at Drexel Ford trucks. Come on over here. Sit next to me. We'll we'll chat about this. This will be the episode. Because it's a. It's actually late getting out there because it was supposed to be out there this morning. But, you know, we had a lot of stuff going on last night, lot of stuff this morning. , I want to talk to you a little bit. It's a short episode. Audio only audio only. Awesome. That's cool. Yeah, so you're fine. You don't have to put your shirt back on. , people are used to. To our banter are probably wondering what's going on here. , so we just, , just sat through, you know, 11 CISOs going back and forth over the last two days. I titled this. The CISOs world. I mean, what, what jumps out at you as you listen to this conversation? , You know, the. This is a job is hard. Oh, man. It's. It's unbelievably difficult now. And for a lot of reasons, there's a ton of stuff that's going on now when it comes to mergers and acquisitions and. Joint ventures and all of those things that are happening. But, , we've also gone through, I think, a progression over time of organizations and CISOs. Many of them, you know, more advanced than this. Some of them are just sort of figuring it out, but. The, how do I take things that I know I never going to be able to hire, hire people for, or do well and outsource those things to somebody that I know who consistently can do it. Well. But that applies not just to cybersecurity stuff. It replies us, it applies to stuff across the organization. So there's a lot of as a service stuff that's happening, which creates this other whole cascade event that we heard a lot about the last couple of days. Around third party risk management. And how do you. Those people are now like part of your team and you have to help figure out how to secure them to. Third third party risk management was probably the predominant topic. , it came up again and again, in different forms. Where somebody was standing a little bit to the right, but somebody was saying a little bit to the left, where they were still talking about the same issue. Yeah. A lot of 'em. I mean, it's so hard. So it's it. It's how do you let them in, what are the appropriate ways? What do you, what are the controls that you put in place for those groups, , that are coming in. , you know, are they authenticating against active directory? Are they using. , , Pam, I mean, there's just all the precursor stuff that you do to make sure that you should even be buying this product or this service there's. All that upfront. But there are some governance things there's we definitely had a lot of car conversations. Drought contracts. I'm like, alright. You're engaging with this company. , what controls and things are they going to be putting in place in order to make this, , make this work and make this happen? I thought that was interesting. I'm not going to say, I did say Shauna's name before she was here and she was one of the chairs of the events and we appreciate that. , but I'm not going to attribute anything to anybody, but there was at one point, one of the CISOs was talking about the fact that, you know, it's not necessarily the CISO's job to do asset. You know, asset management, vendor management, or business continuity. But they are such that they keep, , the organization keeps like putting those things on that. Even though it's not in their role specifically. And they had a really good conversation around what does it look like to. , lead from behind in some of those areas. , but, , I also was, you know, kind of asset management, vendor management, business continuity. Those were three topics that came up. In different, , different aspects. A couple of times, I think there were the, I'm kind of saying that same thing in a little bit of a different way. A lot of them do. Great jobs. They all do. Everybody that was here does, does a great job as a Cisco. But part of doing that great job. They see things that are upstream from them that are not done well, which makes their job harder. Right. Or impossible in some cases, And so they point those things out and often to the knee jerk reaction solution to that. Is that okay? Well, you should take over asset management or you should take over something else, right? And so you wind up with CISOs who. Really. Those aren't areas of their expertise and they really don't want to do it, but if no one else is going to do it, sometimes they wind up having to pick up some of these responsibilities. Which then puts them in direct conflict with other parts of the organization or other parts of the it department. , not good. And so there's the, a lot of the conversation was. How do you hold. Other parts of the organization, responsible for the things that they should be doing. Right. That makes the organization. Better more well-organized we talked about simplicity's, which is easier to secure and easier to operate. How do you get that to happen so that you can do. The job that, you know, you need to do as a system. Yeah. We ended with this conversation. I thought it was really interesting because it's indicative of the CISO's job and role and how it's, how it's changing in. In some cases, the CSO has full support from the CEO. Hmm. And I don't think any CEO would say they don't support the CISOs in today's day and age, not publicly publicly, a lot of, a lot of risks associated with doing that. , but some of them in this room would say, I have the full support. And so others would say, well, I have the verbal support, but I don't have like. But the talk to talk. Do you walk the walk? The financial backing or. I can't get FTS. I can't get, you know, I. We're not able to do some of the things that we're doing. , but I was really taken with, I sort of stepped into it as a facilitator. And one of the, one of the people talked about leading from behind. And essentially how they have driven a great relationship with legal, great relationship with compliance. Great relationship with, with, , champions within the organization and then built governance around those groups. And have been able to affect change through really, almost a bottom up strategy instead of a top-down oh, I need the CEO to state these things. Although that person did have the CEO sport. , having that, that group of champions. It gives them the ability to really have an influence in the organization. I mean it, if we talked about third party, risk management, a lot. During the session. The thing we talked about almost as much. Was relationships and relationship management and being transparent and figuring out the who are the people that I need on my side to help influence the organization as a whole. To do the right thing, to be able to get to the place that. , we need to be so, , yeah, relationships turned out to be an incredibly important part of the whole conversation during this teaching. And well, Hey, I want to thank you for jumping on this, by the way, for sure. , appreciate it. I look forward to the next time. It should be pretty soon that you're coming back on the, , the new station. I think we have something being scheduled, . Well, that's all for today. If, , if you can, one of the ways you can help us out is to share this podcast with a friend or colleague. And we really appreciate that. We want to thank our channel sponsors who are investing in our mission to develop the next generation of health leaders, short tests, artists. I parlay it's certify health, 📍 notable and service. Now check them out at this week. Health. Dot com slash today. Thanks for listening. That's all for now.