January 27, 2025: Matt Christensen, Sr. Director of Cybersecurity and Intermountain Health, delivers an insightful discussion on the intricate balance of technology, leadership, and the human factor in cybersecurity. How does Intermountain Health’s approach to systemic risk reimagine third-party management in healthcare? Why is the human element—often labeled the weakest link—still undervalued despite its role in 90% of breaches? Matt reflects on the paradox of advancing technology overshadowing foundational cyber hygiene, sharing his experiences with governance, risk, and compliance.
Key Points:
This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
[:Introduction
Hi, I'm Drex DeFord, a recovering CIO from several large health systems and a longtime cyber advisor and strategist for some of the world's most innovative security companies. And now I'm president of This Week Health's 229 Cyber and Risk Community. And this is Unhack the Podcast, a mostly plain English, mostly non technical show about cybersecurity, and RISC, and the people in process and technology making healthcare more secure.
And now this episode of Unhack the Podcast.
Hi, I'm Drex. And this is Unhack the Podcast. We spend some time hanging out with some pretty cool people and today is absolutely no exception. Hi, Matt Christensen, how are you doing and what's going on out toward Intermountain Way?
Hey Drex, thanks so much for having me and doing great. We're just. Staying busy. That's the easiest way to describe what's going on at Intermountain is we're busy.
sy. There's always something [:You're in the Eric Decker team, so there's no shortage of excitement because of that. Tell me a little bit about your background and what you're doing now, what your job is and what that entails and just give me some insights to the work that you're doing?
Sure, you bet.
So I've been in cyber now for about 16 years. My introduction to cyber came from a college professor who said, unless you have people going back to being honest, you'll always have a career in cyber. And that hit home with me early in the, what do I do phase of my undergraduate.
I was actually in entrepreneurialism and marketing. Those were my two majors. And then I took a. An I. T. Class and had this amazing professor that just , opened the world to me around cyber changed everything. Yeah, Dr Randy Boyle, give him a shout out. You know what I do on the day to day.
ty team is in pillars and in [:All of that ultimately rolls up into what I do on a daily basis. And you mentioned Eric, I have to say, yeah to have him as my direct boss and the Intermountain CISO is just, been incredible. The leadership that he brings is just phenomenal.
There's so many things I want to talk about with you.
let's start with just, you and Eric and the H. S. C. W. G. and I feel hugely fortunate to be a member and to be involved and to be able to see the work that you all are doing and talk about the work that you all are doing. But is your membership in the CWG something where you got pulled in by Eric on something?
Or is it something that you've been involved in for a while? How'd that come up? Cause you're running some of the, groups. You've been actually a group lead on
force anyone into something. [:if you want to do anything about with it. Yeah, one of the groups that I'm working on right now is just the enterprise risk management. Just writing guidance for how can small, medium, large practices. Roll out, E. R. M. And how can they be successful specifically since it's not just cyber focus.
So that's one area that we're working on. Another area that I just barely got looped into is actually where we're defining what systemic risk is. So it actually it's gonna up in the way that I think organizations and specifically in health care do third party risk management. So instead of just focusing on
d we all saw that downstream [:So that's what this working group is really focused on. It's just honing in on the critical areas. In the delivery of care that ecosystem and then, honing back on how can we protect not just one vendor, but the entire system. Hence the name systemic risk.
ms, we all have problems. And:In multiple industries, airlines took a huge hit with the particular, single point of failure, right?
Healthcare took their hit as well. Yeah,
It's amazing. One of the things you and I have talked about is the human part of this. You started a big deal on LinkedIn. A bunch of people jumped in on the conversation, but you made the point that most breaches.
onference's content? Focused [:It's not about that human weak point. , what are your thoughts on that? How do we make that better or fix it?
Yeah, that was an interesting post because. You always wonder how the committee will take certain, provocative statements. Do I believe that 90 percent of the conferences should have 90 percent of the content be focused on securing human?
I don't.
Yes.
But it blows my mind that asset number one, which is you and me, if we work for an organization. Tends to not get the level of attention commensurate to the risk. And this is true in all the frameworks too, right? What's the first thing that you do in most of the frameworks is you inventory your systems, you inventory your applications.
he risk that they present to [:90 plus percent of significant breaches start with breaking a human first. And the bad guys know this.
That's why they're successful,
od at it. Again, I go back to:There's plenty of that problem too but like you said, most of it started with some kind of stolen ID or figuring out how to get an ID and an MFA through an individual. That works with the company.
Yeah. And I think there's an opportunity for all of cyber to update their training education.
rainings and those quarterly [:Like the average employee probably doesn't even the term social engineering. So if you blast your content filled with these technical terms, it's just going to go right over them. But when you can break it down into this is how a help desk call that goes wrong could impact the service that you provide.
Now you got their attention. I think most of the opportunity to boil training and education up is within cyber itself, and I'm actually fan and proponent of not just. Measuring training and education that seems very check boxy. What I want to do is measure behavior change. want to see what good behaviors people are doing more of or should be doing more of and what bad behaviors they're doing less of.
to me is far more effective way of actually measuring progress.
When you talk [:you talk to maybe very non technical people on the board or very non technical people in leadership positions about these technical things and help them understand why cyber security is issues. Really important. What are some of the techniques that you use to make that case?
I'll share some that I've used in the past and some that I know that, our current leadership leverages and you don't BS your way around it.
ly allow the business to run [:These systems are down for a prolonged period, not hours, or days, but potentially weeks or months. Now, how do you run your business? And what does that mean if we have to completely rebuild, how do you continue to deliver care in our world versus we have to divert, and I think when we can speak at that level and not just theoretical, but plan it, build it, exercise it, actually take the things down, now you're talking their terms, which is how does this impact our customers?
What does that do to the communities we serve? There's, there's a whole bunch of scenarios there but I think that's the easiest way. And it isn't easy. That is hard work. Anyone that claims to do that in a short period of time. It's probably just exercising or having a workshop, not actually focusing on operational resiliency.
t, you really have to get to [:one of the board members was a professional golfer. And so you have to try to figure out and you never know, right? This is yeah. Looking at the people that are in the audience, you're going to present to and try to figure out how do you connect with that person? Like you said, that's not easy. It takes a lot of work.
Yeah. Unfortunately in my role, that is something they're smart enough send Eric, to, they're going to send the CISO for that. But that is, he doesn't just play the game. I don't think any wise CISO would, how can you swoon your way to the board members? think the smartest.
wo different priorities. And [:So in fact, one of the best success metric is when you have a board member bring up cyber or when you have someone presenting the board about a risk to cyber. It's not coming from the sea. So now I think you've reached an optimum level.
Yeah, I think that's a great indicator.
want to ask real quickly about this. I saw that you presented something a while ago called the firehouse can't burn down and we have all these fires going on in Southern California right now, and for some reason that it is terrible. We all have friends down there. That have lost clinics.
I talked to a friend of mine earlier in the week, and one of the clinics and their health system had burned to the ground. Folks are being evacuated. crazy, but it caused me to think about just name wise. It caused me to think about this presentation, and it sounds like there's a little bit of a story there, and I'd like to hear it.
I live in a rural town where multiple times every week our family been able to watch this firehouse.
[:And it's meticulously placed. It's not just a roll or a blow in. It's very prescriptive squares. And so I started doing some research and I was like, how often do firehouses actually burn down? Oh, and then they spray the whole thing with this black, retardant on it. And I found that in Germany last year, in October, there was a firehouse, didn't burn to the ground, but it was, 20 to 25 million dollars in damage.
fire alarm didn't go off at [:Surely if they smell smoke, something goes awry, they're going to be able to put out. It's the fireman's job to do that. But in this case. It didn't happen, they lost 25 million dollars for not putting in a few thousand dollars worth of monitoring. And so I got thinking about this, that in cyber, we can't let the firehouse burn down.
It has to be programmatically sound. There are just non negotiables. You have to build a program in a certain way. Otherwise, you're going to have incidents and not even know it. So that was the talk that I gave at a conference and I literally, it was one slide and I showed a picture of this firehouse being built and we had some great discussions around it, but I think it just goes to show you can never be too sure, don't skip the most fundamentals.
That's typically where we get burned.
Yeah, the [:That's how we keep herself safe.
I think about that, Vince Lombardi where it's gentlemen, this is a football and gentlemen, this is a football field. And my team gets so tired of hearing me say we got to master the fundamentals because I think it's just. It's in those details that if you've been in cyber long enough, you can skirt around, you can I got that, you have that basic level of understanding but if you want true programmatic growth and maturity it's mastering those fundamentals.
nd personal, but what's your [:whatever you want it to be.
For work, my favorite metric is when an individual contributor gets recognized by a senior executive. I love when that happens too often the leaders get the recognition for the work of the individual contributors. So that's one that, that I like. Another one that comes to my mind is when you've got a process that you own, that's a pain in everyone's side.
And you're just getting, peppered with this is broke and here comes another escalation from this VP and there's 80 unresolved tickets when you can fix that and go months without having a single escalation. That's an intangible, incalculable metric when you actually think like true metrics.
we hit six months without a [:He's I think it's actually longer
Don't jinx it
Yeah,
I remember at one point coming into a health system and it was part of a turnaround. And every time we had a downtime, we got an alert through email or, our folk, we had a system and everybody got alerted through, like
Nagios or something.
Yeah. Yeah.
And so I used to print those out and just tape them on the wall inside of the door where, when you open the door A hundred pieces of paper would flutter and it just drove everybody crazy, but it refocused everyone right on the okay, what are we doing here that we have so many outages so chronically and over time, the pieces of paper came became fewer and fewer, but that, okay, there's no paper today.
What's happening?
e had something on his board [:He's C, C. O. But had the C. I. O. Technically reporting him as well. And he viewed that, the notice or every call that came in, it was someone that couldn't resolve something and needed help. And he said, so that was his reminder bettering our systems, bettering our, how people log into our systems, the user experience.
And I've always remembered that every call is a failure.
Yeah. Okay, here's the next one. I know you're super busy. I really appreciate you taking time to do this. When you get unfocused or you feel sometimes a little overwhelmed, what do you do to get out of that? What's the question you ask yourself?
What's the, what's your technique to get out of that? Because people feel that overwhelmed feeling, I think, more now than ever before.
st recognizing when you have [:And that's something, anyone can do in their personal life or professional life, but. But even this last week, I had really good discussions with the leader that was really just I'm stuck. What do I do? How do we make progress? The whole time the conversation was just you could tell that this leader felt.
overwhelmed.
And
My job was to help him understand how can I break this down into smaller pieces to move it forward rather than just try and, build the perfect thing.
last CWG meeting, actually somebody in the audience said something to the effect of It's really hard to eat the elephant one bite at a time when the elephant is standing on top of you and stomping your guts out.
I
think there was an AI generated image of that. If I remember that exactly.
uch. In the moment, it might [:Raj from Deloitte. I can't remember, but it was awesome. or Ed from Cincinnati.
I think it was Ed from Cincinnati.
That's right.
The other thing I think is just to, it's good to walk away from the computer, like it's good to take that time off. It's good to turn off notifications. I think just we own our calendars, right? Like ultimately at the end of the day, if we're overwhelmed, we should first look at ourselves to say, what have we over committed to?
What have we said? Yes. Or what meetings are we going to that we're not needed there or the meetings not near it even needed. So think there's an opportunity to look within before you blame the system and say, I'm just. Yeah.
Yeah. No, I'm with you. There are a lot of young people who are thinking about coming into cyber.
What's your best advice for them if they're thinking about going down that path?
ot into cyber wasn't through [:Sometimes the best way to get into cyber is to start first outside of cyber. Specifically if they're looking to get into healthcare, I think it's important that they view themselves as a caregiver. And that sounds really weird because typically you just think of the clinicians as the caregivers themselves.
But that's a term, a former CEO of ours. Really said I don't care if you're sweeping the floor if you're running finances Or if you're providing care, every one of you is a caregiver. And so I think if they come in with that mindset of my job is to help patients receive better care, or if they work for an insurance arm to, to have that commensurate service on the payer side, I think if they truly reflect this themselves as if they're directly providing care to the patient.
ng into healthcare to have a [:Is you've got to differentiate yourself from the other incoming graduate students or the other incoming applicants. And the best way to do that is not through phoning a friend and saying, Hey, buddy, can you help me get hired? But demonstrating that value you can bring day one. So show me what relevant experience you have that is indirect to cyber.
I firmly believe someone that understands. Good communication that can, be a quick read like you have a place in cyber. You don't have to have computer science degree or an IS degree or 15 years of, networking to add value. I think you just, we need people that they're committed to the cause and that they're willing to learn.
right? It's fundamental. I'm [:I can teach you all the other stuff, right? It's it's interesting. The last question. It's interesting that we have gone down this path. Part of the, I think, genius of being in healthcare is that, people show up and they are, they like the mission and they want to say yes.
ecome better at saying no to [:meetings,
Meetings.
I think that's the very first thing that comes to my mind is. We just fall into this cyclical rut of meetings is how we get work done. Now, if it's a working meeting, then I'll say yes to that because at the end of the day, you just got one step closer, to the objective. So that's certainly something I've become maybe not even just more regular with, but maybe more known for is hitting that decline button.
And I don't say that out of pride or to say I'm more important than the person sending that invite. But we have to be able to get done the work that we need to do. So yeah, meetings is one thing that I've gotten good at saying no to I think the other thing would just be the number of projects that we can tend to find ourselves with.
[:And all the data operations stuff that they have to do
too. And you've got more than half of your staff that's doing ops work. You've got three times more demand than you have capacity.
I think Culling that project list is just, it's so necessary. It feels so good when you just say, we're not doing this project and this is why it also forces that conversation and saying, is the work we're doing, does it address the threats and the risks that we're faced with?
Or is this a nice to have, so those are the two that come to my mind.
I like it. I like it. What haven't I asked you that I should have asked you while we were talking?
If you got enough with personal, I'm good with that. I love that you asked advice for getting young people in or not, maybe not even young, but just people who are new to cyber.
ng people break in. And I've [:Did a complete career shift with zero cyber experience. And literally started at ground up, took an apprentice position. And then has just proven time after time, that his skills can add value in cyber. And he is doing incredibly well. And a quick read. It's just inspiring to it's even it's bettering the people who have 10 or 15 years experience because they're like, Oh, whoa,
he brings all this other maturity to it to write all this other just work life experience.
Yeah, that's great.
of work with women in cyber [:And when I see that someone has that spark, when they're lit, and they will do whatever it takes to get in. That's where I'll carve out time and I'll invest in them to, to help wherever I can, it's been super rewarding.
I will leave it there. Matt, thanks so much for being on the show today.
I really appreciate it. looking forward to seeing you again. I hope our paths cross soon.
Hopefully soon. Thanks Drex.
That's a wrap for this episode of Unhack the Podcast. Do me a favor and share this episode with your peers. And by the way, your feedback matters, so please subscribe and rate and leave a review wherever you listen to podcasts. I'm your host, Drex DeFord. Thanks for spending some time with me today. And that's it for Unhack the Podcast. As always, stay a little paranoid. I'll see you around campus.