This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

UnHack the Podcast: CISO Changes and Building the Cyber Foundation with Dennis Leber

Introduction

Hi, I'm Drex DeFord, a recovering CIO from several large health systems and a longtime cyber advisor and strategist for some of the world's most innovative security companies. And now I'm president of This Week Health's 229 Cyber and Risk Community. And this is Unhack the Podcast, a mostly plain English, mostly non technical show about cybersecurity, and RISC, and the people in process and technology making healthcare more secure.

And now this episode of Unhack the Podcast.

Drex DeFord: Hey everyone, I'm Drex and this is UnHack the podcast. We kind of go all over the place and talk to lots of different folks.

And today I have Dennis Leber here. Dennis has been a man, like a long time compadre in the cybersecurity business. We've known each other since your days back at UConn, maybe

Dennis Leber: That's correct.

Drex DeFord: Yeah. So, how's everything going? Welcome to the show.

Things are going pretty well. It's staying busy, trying to have a positive influence in the cybersecurity community and industry and businesses right now. Focused a little bit of work on my consulting while I look for my next permanent gig. But helping organizations address their cybersecurity needs some tools and solutions within and if possible a lot of V-CISO work right now helping some healthcare organizations that do currently doing some V-CISO work.

Drex DeFord: It's interesting you like me, have a military background.

He just kept bugging me and bugging me. So I said, I'll try it. If you shut up, leave me alone. I'll try it. Well, the Army then reserves had to try a year program. So I signed up for a year and I stayed 11. And I actually got called back to active duty with the Army during the second Gulf War. Did four years at active with them.

So yeah, 17 years in the military altogether, I. And I, now, I'm a hundred percent disabled vet, so Oh. Like a lot of soldiers, they just, wear your body down. And that's what I do now.

Drex DeFord: I get it. I'm I'm a little banged up myself. 20 year Air Force retired right. Retired Air Force officer.

Also at the, in the first Gulf War. That's interesting. So we've probably chewed some of the same dirt. There was a lot of waiting around. There was definitely a lot of waiting around for something to there was, and then it all happened in a really short period of time.

Drex DeFord: It was, let me ask you beyond that, a little bit about your background. Did you wake up one day and say I think I wanna be a CISO?

Dennis Leber: I did. So further back from my career when I got out of the military I was a police officer.

So I went back home to Louisville, Kentucky and I joined the police department and spent almost 17 years there. I made a decision to leave the police department and started working actually at UPS and went to school and between UPS and school in the Army Reserve, I started getting into technology and started getting into degrees.

I had always liked technologies. I was probably one of the first police officers in Louisville to have the computer in my car. But through the military and through school, I started really focusing all my efforts in learning into technology. That's the future,

When I got to the unit, I was an E seven.

And they said, oh, you're getting a master's degree in IT. Well you're the S6. So the military paid for all my education, that's all my certifications. And then I gained that experience 'cause I got to work in IT. In concert with the other mission of our unit, which was training soldiers to go to combat. I actually left the military a few months early of my four years because I got a job offer in IT.

And that whole time was, I'm studying and focused on cybersecurity. I was like, I wanna be a CISO someday.

Drex DeFord: I've asked a lot of folks that question. You may be the first person that's ever said, yeah, I did wake up one day and said I wanted to be a CISO.

Dennis Leber: Through my journey as a CISO, and this isn't meant to be despairing to anyone because everyone has a different path, as you've mentioned to that title. But I've met CISOs and even CIOs. So you could make that a very general statement of that article. But I focus on CISOs 'cause that's my world, and

having conversations with 'em or going to events, and you listen to some of the things you're saying, you're like, man, that's the way we did it 20 years ago.

Right. Or, Hey, are you ready for quantum computing and AI? Because I see these things. I'm like, I went and got certified in NASA security.

At a level to the organization that they truly do have the impact and the authority.

Drex DeFord: So there's really kind of two things. One is maybe they're just stuck in a position. They're only given so much authority and they can't really work their way out of that. Right. And the other one is, and this is the one I see, quite a bit too.

And it kind of is across the board. Not just all technology people, other folks across healthcare organizations too. change is really hard and they get stuck in the thing that is working for them today. And so that's what good looks like and they never try to break that thing to try something, new or better that's come along.

I went and got the QTE certification that says, Hey this executive, this technology executive is ready to serve on boards, but we're not doing it. right And the courts have been shown recently in the real recent, past is the boards are responsible, the CEOs are responsible, right? The C-suite executives like the CISO.

Contribute to it, but the overall governance of an organization it's like Jocko Wilson's the extreme ownership. Well, you're the CEO or you're the board. Okay, that guy screwed up, or that gal screwed up, but you're extreme ownership. And so that's a part of it too, but I also look at it and go, what did I have to learn?

As a cybersecurity executive to have conversations with CEOs and boards. So that's another problem that we need to solve and we're trying to solve is I'm not a board member or my CISO is not interacting with the board because, well, no one's taught us how to do

And

have you gone and asked.

The CEO of CrowdStrike. And he actually spent some time at RSA talking about. CISOs being on boards and why it's important CISOs are on boards and kind of how it happened eventually that a CFO was on every board, yeah. Not from that company, but an outside CFO was on every board and he sees this day coming where every board will have an outside of that company, CISO actually sitting on the board because security has become

so integral to everything that we do. And he talks about the, like, here's some of the things that you need to go through, but a lot of it is just like, you don't have experience. And how do you get that experience to be on a board or selected for a board. How have you gone about it?

Dennis Leber: Through grit and determination. You take the

Sure. Going, okay, well what did I have to do at that board? What did I do to be invited to that board? How do I get better once I'm on that board? I've gone to some of the CFOs at companies I work for that are on boards and go, how does a person like me get there? Right? And before that, even as a CISO, I've had multiple roles.

Even like at UConn, I report it to the board, like, if you remember Mark Boxer, I still talk to him occasionally, but I went to them and said, what is it that is missing? What is it that I need to bring? I can tell you about these metrics, but are they valuable? Because that's where I started really changing my thought to what are the goals of the university, or what are the goals of this company?

The main thing is if we do this, we will positively, if we don't do this, it will negatively, or if we leave it the way it is, this may occur and we won't make a million dollars next year.

Drex DeFord: Yeah,

Dennis Leber: so, so

Drex DeFord: a lot of it is tied to risk and that risk conversation and how you relate cybersecurity issues to board members who may not be cybersecurity professionals.

How do you do?

that

Dennis Leber: it's education, fortunately with all my adjunct teaching and I've always had some kind of instructor role from, even when I was 18 in the Marine Corps, I helped teach firearms. I owned a martial arts school and I still do professorships at several colleges and attained my own PhD.

And you gotta ask those questions. What's what's the best way for me to teach you how to do this? And then teach 'em how to do it. The other thing that I'm working with I'm working with another university and I hope to have something soon, is borrowing from our military experiences. And one of the things was

looking at basic life savings, and I wrote an article on this too, you may have seen it. Uh huh is every soldier that goes on the combat field is now taught basic life saving skills, and it has enhanced the survivability of combat wounds on the battlefield exponentially. And I forget the number, but it was night and day there.

No,

Drex DeFord: absolutely. I, I spent my career as a medical person and as a, I have a Army expert field medical badge. I'm one of the few Air Force guys who wear that. And yeah that fundamental skills really saved lives every day.

Dennis Leber: Yeah. And so how do we apply that to our everyday workers in our organization?

Here's all the things we do, and you do your annual training. You get this instilled and instilled. So yeah, I'm using that as a small example. It's like, oh, how do you have that training where, and your staff goes, I know what to do here and does it. Right. And now you've decreased the risk of your company getting hacked.

How many companies we look at time and time, we see all these hacks, and especially in healthcare, but when you start looking at, it's like, well, someone just gave up their credentials. Right,

right.

Right. It's these simple things or you didn't have it. There's a lot of complexity to cybersecurity, as we all know, but really basic hygiene, basic cybersecurity is always the winner and.

Somehow or another we still failing i've been in this industry for 20 years and we still fall victim to the same things over and over.

That's right.

Drex DeFord: I'm gonna pick on you with a couple of other things are you ready for the lightning round? We're all super busy. So I'm, now I'm just kind of wondering, this is about you personally.

When you get unfocused or you feel overwhelmed, what do you do? Or what question do you ask yourself to kind of get back on track?

Dennis Leber: I learned a long time ago how to manage time. So I think I've managed that well. But when it's time to disconnect golf.

My dog,

my motorcycle's probably number one. And a good cigar.

Drex DeFord: Nice. What kind of motorcycle do you have?

Drex DeFord: Oh, nice. Love Indians.

Yeah, rode a chieftain for a while, so

Dennis Leber: that's a great bike. Yeah.

Drex DeFord: here's another one. Probably a lot of young people who'd like to get into the cybersecurity business or people who talk to you about getting into the cybersecurity business.

Dennis Leber: All of it. All of it because there, I see a lot of that stuff online and you pay for a course here and there, and none of it to me gets anyone anywhere because the biggest problem I have. As a CISO when I'm hiring people is they don't come in with the basic skills similar to what we're trying to teach staff that work not in cybersecurity.

And I like to tell this story 'cause I think it summarizes my approach to it. I don't think it's wrong to go get degrees, but it shouldn't be the only thing you do.

I also think you should get certifications because HR's look for that and there is a basic knowledge and fundamental of what's going on to get certifications. You can't just go in there and just not have any clue of what that's going on. It does require at least study, but it doesn't mean you're a good cybersecurity practitioner.

But back to the story, when I worked in Kentucky, I had a pen testing team. Had guys that were really scary good pen testing. They're not influencers and I think they're better than any influencer that's pen testing online I've ever seen. But we were hiring for a new role. And we had a guy come in and the director at the time that was running that pen test team, he set up a pen test.

He set up two computers, cable connected. He ran something on one side, they had to respond on the other and he really tested 'em like, can you hack? And the guy that we hired not only did very well in that because we didn't tell him that it was occurring, so it was under pressure.

He came in with a mountain of paperwork.

And he rolled them and he had a stack of them. We hired him before he left the room.

Drex DeFord: He was a really good pen tester, but he'd really put a lot of time and effort into the practical, pragmatic experience that he would need to do the job well,

Dennis Leber: right over and

Drex DeFord: above.

Dennis Leber: Yeah. Yeah. But a homeland, because you're never really gonna learn cybersecurity until you do it.

I was fortunate to do this at Kentucky. Kentucky was very supportive and had a nice budget, of course, too, to do this. But we created a general cybersecurity analyst position in Kentucky. And I jokingly say the only requirement is the candidate needs to know how to spell cybersecurity. And the running joke is, does it have a hyphen?

Is it split or is it one word? we would rotate them through every division that we had in the cybersecurity office. So they went to the pen test team, they went to the GRC team, they went to the, our team, they went to the audit compliance team. They did all these, right? And of course, everyone we hired like that wanted to be a hacker.

None of them became hackers.

And the one person we hired, they really fell in love with GRC, never even knew it was a part of that branch of cybersecurity. I know that today that person's still the director of the GRC team. So they got promoted up through that team.

Drex DeFord: It is really interesting.

You just have an idea about how they're all connected together.

Dennis Leber: Absolutely. And I think as a CISO going back to that, you have to have that understanding and knowledge of all those areas that you interact with.

Drex DeFord: Yeah, for sure. Okay. Final question. How do you spell cybersecurity?

Dennis Leber: Yeah, I haven't figured that one out yet.

I probably put it as one word. So.

Drex DeFord: Thanks. I appreciate it. Dennis Leber cybersecurity executive extraordinaire, really appreciate you being on the show today. If there's anything we can ever do give us a shout. Thanks for being on.

Dennis Leber: Yeah. Appreciate you.