This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

Introduction

Hi, I'm Drex DeFord, a recovering CIO from several large health systems and a longtime cyber advisor and strategist for some of the world's most innovative security companies. And now I'm president of This Week Health's 229 Cyber and Risk Community. And this is Unhack the Podcast, a mostly plain English, mostly non technical show about cybersecurity, and RISC, and the people in process and technology making healthcare more secure.

And now this episode of Unhack the Podcast.

Drex DeFord: Hey everyone, I'm Drex and it's unh Hacked the podcast. And I'm here with Jim Bowie from Tampa General.

Jim, welcome to the program.

Jim Bowie: Thank you. It's good to be here.

Drex DeFord: how's everything going down there this morning? All relatively quiet on the eastern front,

Jim Bowie: It's not blazing hot down here yet in Tampa, so it's okay. Summer's starting to rear its head where I wonder why I live here.

But for now, it's okay.

So I blame my dad for being in this role. Because I wanted a Nintendo and he bought me an IBM pc. And I was like, all right, well, let's make the best we can outta this. So probably I got really curious doing things that probably shouldn't have been doing nowadays, but there weren't a lot of laws about it back then.

And I was like, yes you can, because if you check this, you'll see who logged in here and blah, blah. And the next thing you know, I'm on a desk job. You're a cyber

Drex DeFord: crime

Jim Bowie: guy. Yeah, exactly. So. Did that for a while. A friend of mine reached out and said, Hey, come work for me in Tampa general. They didn't have a security team quite yet, but come over, have some fun.

And I was like, all right. Made that jump. Worked in healthcare it since then, in various roles manager of clinical applications, director of infrastructure, security engineer director of cyber operations, and now I'm a CISO

Drex DeFord: wow. That's an amazing ride. It's always interesting to me.

And I've also heard you talk about a lot of cybersecurity culture, and I feel like all that probably goes together. Tell me what you mean by cybersecurity culture, how you've built that at Tampa general.

Jim Bowie: again, we stand now. On the shoulders of everybody who did the work before us.

So what I'm gonna say may sound irreverent, but it's not. So I appreciate the work everybody did. But up until a few years ago, cybersecurity was an offshoot of IT, and it was probably your most skilled people technically that we're all nerds just like me. And they lacked. The communication skills or empathy or whatever you want to call it, it was just nerds in closets trying to keep things safe.

So I understand that. So what I did, and I'm not the only one to, I've done this, but the one thing I wanted to focus on, to rebuild the image of the cybersecurity team where we're at and there were great people is add a little more empathy into the situation. Add a little more, Hey, we're here for you.

We're not just here to tell you can't do things. We're here to help you be better at home, be better here, and just be safer all around. It was more of the roadhouse. Theory, which is one of the speeches I give new people to my team. I was like, Hey, you're gonna be nice, right? You're gonna be nice until it's time to not be nice.

And then I had one kid who'd never seen the movie. He is like, well, and it was one of my favorite moments because he was like, well, when do I know when not to be nice? I said, you won't, I'll tell you. And then I was so happy I got to deliver that line.

So I love that quote.

Jim Bowie: Really should be. Probably the mantra of most cybersecurity teams be nice until it's time to not be nice. And you won't really know when it's time to not be nice. It's not a personal upfront. If you recommend something and the business decides not to do it, that doesn't mean they don't think you don't know what you're talking about.

They just made a decision. There's decisions outside of cyber to they have still have to run the business, right? So it was getting them to shift out of that, then from another culture perspective, getting the rest of IT on board with our mission. One of the things that the organization has struggled with was making a bunch of changes to active directory.

As we all know how easy that is to, yeah, to screw up L-L-M-N-R SMB version one, all the old stuff that's just like, if they're in, you have it, it's over. They're gonna get your domain admin. So I said, all right. We're having trouble. They don't understand how important this is.

Drex DeFord: Yeah. So for $20,000, it probably reduced $5 million of risk in one weekend.

And they were probably all just completely shocked at how easy Yes it was for it to happen. That sometimes is what you have to do. Like sort of, a gentle way maybe of slapping somebody in the face and saying.

Drex DeFord: Everything's connected to everything else. You guys really have to help clean up your act. For us to be able to clean up the organization's act that's so cool.

Jim Bowie: And they were happy. They were like, this is the most fun we've had at work ever. Right. So now your little hackers, everybody was happy at the end of that.

It helped a lot.

What's been your story?

Jim Bowie: So I have to give credit to our CIO, CMIO and CTO, who they want to be in healthcare at the forefront of ai which is a cool position to be in. It's scary as a CISO, right? Right. They all came to me and were like, Hey, we want to turn this on. And I was like, oh boy.

And I don't know if I overexplain something for your audience, I'm sorry. I'm just gonna make sure we're on the same page. For those of you that don't know, when you turn copilot on in your environment. It will act based on the permissions of the user that you, whatever you have access to, it's there, right?

And so it allows you to make those mistakes at an exponential scale. And so what I did is like I went to my boss and I was like, Hey man, we got it. Just can you give me two weeks? I need two weeks to make sure we can lock down all the stuff we need to lock down at SharePoint and OneDrive and whatever.

And I showed him like, Hey, ask copilot this. 'cause we turned it on for just them, right? I said, ask it how many documents you have access to with nine digit numbers in it. And consecutive. And he pulled it up and we had realized that someone had overshared an employee file. With SSNs, right.

And they're like, oh my God. So I was like, gimme a week or two. I engaged Varonis very helpful in that front. I said, here's my problem.

Drex DeFord: this concept I talk about this all the time too. The sometimes what happens if we have processes that aren't really squared away and then we add technology and my analogy is we take a train wreck and we make it a super fast and efficient train wreck, and that's when we discover actually that the process is broken or the oversharing has happened or whatever the case may be.

So, I love that you sort of took the additional step upfront and said hold your horses before you turn this on. The response to that's been good. I mean, now that you're up and running, you're feeling comfortable with, as much as you can about the risk that you've pulled out of it

Jim Bowie: for copilot.

And if the answer is yes, we still do our assessment and if it passes our assessment, other than the AI component, it kicks off to this AI governance committee and there's a whole ethics feasibility fidelity so a whole structure around that. It has to then go through all of that to make sure that we're all safe and happy and clear on that.

And then if it goes to the AI committee, then it comes back and it adds a lot of bureaucracy, but it also keeps us, I feel, in a much better spot. Like I actually, it's gonna sound weird. AI's, one of the things I'm least worried about. At our institution because of the guardrails that we put up and the way it's being done safely.

Now, what might happen, and this is where this is on my team, is vendors are really bad about throwing it in without telling you.

Jim Bowie: Now it's like, okay, here we go. What kind of can of worms did you just open?

So, that's created a lot of work for us on that front. So that's the biggest fear right now is that something that's already gone through or we assessed from this scope has now changed to that scope. Got

Drex DeFord: it. Let, Let me ask you to shift gears here and ask you a different question. You've led initiatives on, obviously threat hunting, incident response.

We've had quite over the last few years, a lot of evolution and how the bad guys do their thing. Can you take me inside of a recent high pressure situation that you encountered and how your leadership philosophy guided the response?

Jim Bowie: Sure. So high pressure for us. Most recent, we could talk about change healthcare, which every healthcare person's probably tired of hearing about.

When you operate, you have to have so much blood on hand. If you're a level one trauma center like we are, you definitely need a lot of blood. So that sent us into an absolute, and by us I mean the organization, absolute crisis mode. Now I have to give credit to the organization because they stood up their incident command center.

We stood up our incident command center. It was just constant like, all right, how can we bring them back up? Do we, what level of connection can we keep with them? And you're just constantly having to weigh, right? So I can keep it shut off and I can sit up here as cybersecurity expert and say, no, we're not turning this back on, blah, blah, blah.

Right. So not only is it just, yeah. Okay. And it's, I'm not downplaying this. We could have an incident where. PHI is released, which is serious. But now you've got real lives connected to, to real decisions. And it, there's a

Drex DeFord: balancing

Jim Bowie: conversation there, right?

Drex DeFord: Yeah.

Jim Bowie: And it woke my team up quickly.

I was like, they're like, well, why don't we just shut it off? And I was like, well, if you do that, just so you're clear, we have to shut down an ER for a whole city. And they're like, yeah. Oh, right. So it helped drive the impact home for them of. Yes, we're dealing with bits and bytes, but those bits and bytes at the end of the day have people attached to them with real consequences.

And it woke a lot of people up.

Drex DeFord: I have a hundred questions. Anytime we sit down, we always w you know we can go on for an hour. You've been to one of our summits. You're actually coming to one of the summits coming up right in Boston. how was your experience?

Are you looking forward to Boston? 'cause everybody that's going to Boston seems to be looking forward to you.

You'll like it. I was like, alright and I got there. I didn't know what to expect certainly wasn't at all what I expected. I thought it'd be a sales pitch, here, buy our products or whatever. And it turned into three days of some of the smartest people I've ever met just discussing all the problems we had, I came outta there with more strategy and like, all right, here's what I'm doing wrong.

Here's what I could do better. And then the life lifelong has been a year, but the, the long-term contact I have made from that is just balloon. I now have at my hands just a quick text to 20 people, and I'm like, Hey, y'all dealing with this? Yeah, I'm dealing with this, what are we doing? And so it's just.

They actually are. I was impressed with that too. They were like, here's how you could solve that problem. Maybe not even with our product, but this is how we're seeing people handle the situation.

Drex DeFord: It was really cool. Yeah, thanks. I appreciate it. And I can tell you on the other end, there are people who tell me in the community all the time that they're really happy that they are able to reach out to you to ask questions too.

Sometimes I think when you're in a community and the community continues to grow and you feel like, oh, I'm just taking a lot, you're actually given a lot too though. So thanks for being a part of that. No problem. You wanna do a couple of bonus round questions?

Drex DeFord: These are some questions that I steal from Tim Ferris. And I like to use these once in a while, so let me see what's good. This is a good one. What's a be, I'm looking at your background. What's a really unusual thing that you have that you really love?

Jim Bowie: One unusual thing that I absolutely love, it's not unusual, but I love V8. Big fan,

Drex DeFord: V8 as in engines.

Jim Bowie: Yeah, I drive fast as much as I can.

I do autocross, I do track days. It has been a huge relief, stress wise for me, and it's really helped get me grounded. That's not really unusual though so if we're talking about quirkiness, dungeons and Dragons. I play three or four games every two weeks. It's a lot of fun that way. It helps with improv, it helps deal with crisis situations, believe it or not.

I'm actually probably trying to make a whole talk around how Dungeon Dragons can make you a better leader.

That's very cool. Here's another one. I think we all know some young people who want to get into healthcare, cybersecurity. What's your best advice for them?

Jim Bowie: Man, my best advice for them, and it's tough it's gonna suck to try to get into Right? Like, I know if anyone's telling you, take these certs, get this degree and you're in it's not, yeah.

The best advice. And it is a shame that it has to be this way. Is find a mentor, find a group of people, join a local club community. BSides is great. DEFCON outside of that, try to get a mentor when you go to BSides or Defcon, there's gonna be industry professionals. There's like, Hey, I'm really interested in X, Y, Z.

Come back to me in six months and let's see where you're at. And I'll, I'll call me throughout the time if you have questions don't me wrong. I'm not saying don't talk to me kid. But they kept in touch, they showed the initiative. They did X, Y, and Z. And the next opening we had, we were like, all right, I, and I didn't say anything to my team.

I was like, interview this person. Let me know what you think. 'cause their head was pretty squared away. And they came back. We made the hire. It's the best way I can think of it. The certs are good. The education's good. The drive is good, unfortunately. Everybody's doing that too.

, you gotta make a connection. You gotta set it to the top. And I hate that it sounds like a good old boy network. That's not what I'm saying. It is not that. It is just making connections. It's making

Drex DeFord: connections. It's just, it's experience too. I mean, it's, the cert is great. It gives you some good fundamentals, but the like

So,

Jim Bowie: no, that, that's actually a really good call out. And I am quick to tell 'em, like, look, your first cybersecurity job's gonna be a grind. Yeah, you're gonna be doing tickets and something you didn't think it was, I promise you and that's the other thing. You sit down and it's like, look, here's what a day really looks like for us.

Are you sure this is what you want to do? Because it sounds sexy, right? But I doubt it is what you think it is. So, yeah, that's a good call

Drex DeFord: it's funny with we're hiring for a position right now and we were just, talking about the don't sugarcoat it tell 'em, just tell 'em what the job is. If the job sucks , here's some things that suck about this job. Like, tell 'em upfront. I think it helps weed out the people they're not up for the challenge. I think it's sort of your version of go do these things and come back and tell me like how you're doing.

Every couple of months you can see do they really wanna grind it out or no,

Jim Bowie: for every. 50 people. I tell it to. One person actually does it, right? Yeah.

I think we might even have a webinar coming up together. but It's really good to see you today and I'll catch up with you again really soon.

Jim Bowie: You too, man.

Drex DeFord: That's a wrap for this episode of Unhack the Podcast. Do me a favor and share this episode with your peers. And by the way, your feedback matters, so please subscribe and rate and leave a review wherever you listen to podcasts. I'm your host, Drex DeFord. Thanks for spending some time with me today. And that's it for Unhack the Podcast. As always, stay a little paranoid. I'll see you around campus.