May 20, 2024: Join host Drex DeFord on "Unhack the Podcast" as we explore the art of communicating complex cybersecurity issues through engaging and relatable analogies. Hear from a lineup of seasoned CISOs from top healthcare organizations as they share their unique stories, ranging from boxing metaphors to cinematic references, to illustrate the nuances of cyber risk, resilience, and strategy. Whether it's understanding risk-based prioritization with bar fight analogies or increasing cybersecurity budgets with fortune cookies, this episode offers a creative twist on technical explanations. Dive into these insightful narratives and learn how to convey technical security concepts in terms everyone can grasp.
1. Nate Couture, CISO at University of Vermont Medicine
2. Kathy Alexion, formerly the CIO at the Bill and Melinda Gates Foundation
3. Brian Cayer, CISO at USC Keck Medicine
4. Gary Chan, CISO at SSM
5. Jason Elrod, CISO at MultiCare
6. Steven Ramirez, CISO at Renown
7. Shauna Hofer, CISO at St. Luke's in Boise
Donate: Alexβs Lemonade Stand: Foundation for Childhood Cancer
β π
β π Hi, I'm Drex DeFord, a recovering CIO from several large health systems, and a long time cyber advisor and strategist for some of the world's most innovative security companies. And now I'm president of this week Health's 229 Cyber and Risk Community, and this is Unhack the Podcast, a mostly plain English, mostly non technical show about cybersecurity and risk and the people, process, and technology making healthcare more secure.
A special thanks to our partners Fortified Health and CrowdStrike for helping us cut through the noise in this ever evolving cybersecurity landscape. Thanks for being a part of the community. And now, this episode of Unhack the Podcast
β π Welcome to Unhack the Podcast. I'm Drex DeFord. One of the big challenges I'm asked about often by both CIOs and CISOs is the best way to communicate difficult cybersecurity or technical issues to non technical executives or staff or partners. Even board members and even the community. It turns out that everyone has a good way to do that.
And in this episode, I pull a half dozen CXOs on their best analogies and their best metaphors. One called the program, a collection of verified anecdotes. And I don't think that's a bad way to think of it. Whatever you call it. I tried to find out from these execs, examples of stories they use when they try to explain to others the best way to.
Grasp the challenges in cybersecurity. And let me just say, since starting this project, I've heard some really good ones. I don't want to give anything away, but you'll hear snippets from these execs in just a minute who cover analogies that match up to everything from Christmas movies to sports analogies to scenes from campy 1960 TV shows we're all familiar with.
And I would just say you're all so creative. I think this may wind up being a multi part episode in the spirit of sort of plagiarism is the most sincere form of flattery. I hope you can steal some of these stories and repurpose them for yourself. Or maybe the analogies help inspire you to build your own analogies and help your staff and peers and leadership better connect to the very important work you're doing in cyber and risk and compliance and privacy.
If you have a story or analogy that you'd like to share, I'd love to hear it. Drop me a note at Drex@ThisWeekHealth. com. You're doing great work that's perceived as mostly technical, but I have to say your creativity in all of this really blows me away. I'm looking forward to talking to you. Okay, you ready to go?
In order today, you will hear from Nate Couture, CISO at University of Vermont Medicine, Kathy Alexion, formerly the CIO at the Bill and Melinda Gates Foundation, Brian Kayer, the CISO at USC Keck Medicine, Gary Chan, the CISO at SSM, Jason Elrod, the CISO at MultiCare, and Stephen Ramirez, the CISO at Renown.
And then we'll wrap up with Shauna Hofer, the CISO at St. Luke's in Boise. The two of us will do a little post game podcast wrap up. We'll talk about some of our favorites and maybe I'll even coax one of these stories out of her. This should be fun. Don't blink. It'll go fast. It's story and analogy time on Unhack the Podcast.
β π π A recent one I π π had is we were working through, we were doing a reorganization of it for, as part of a move to shared services. Moving from six different IT organizations to how do we operate as one?
And that gives an opportunity to rethink how do we wanna organize some of the functions that we have I really wanted to make the argument that I wanted to expand from just thinking about risk to thinking about risk and resilience underneath my program, and how do we structure some of the other resilience concepts in there.
So I first needed to explain it to just the rest of the IT leadership team as we were working through the org chart shuffle and what am I really even trying to get at here? And then eventually had to take it to the board as well, through our audit committee and explain it there and get their buy in of where we were going.
So I, I decided to brought it up that. I wanted to start thinking about cyber security and risk, like a boxer thinks about a fight. And if you just stand there, flat footed, with your gloves at your waist, and just let yourself get punched in the face, you're not going to be standing for very long, obviously, right?
And so we've put a lot of work into trying to not get punched in the face. But the reality is, if you step into the ring thinking you're not gonna get hit, it's gonna be a really bad day the first time you catch one on the chin. And so you have to be able to not only try and bob and weave and throw up a block, but you need to be able to take a punch.
And so we need to think about not just avoiding getting hit, but how can we take a punch? And then from there, even the toughest fighter that there ever was If they step in the ring enough times, they're eventually going to find themselves on the mat, and you've got to be able to pick yourself back up.
And so I wanted to rethink our program so that we weren't just trying to not get hit, but we could take a hit, and we could get ourselves back up off the mat if we needed to. That was how I explained it to the rest of the IT team. And that kind of clicked for all of them and really got buy in to pull some of the different groups and areas that we had together and bring those programs together.
And then we brought that to the board to get support for that as well. And trying to work budget asks and things like that, that go along to support that and some FTE growth that goes with that. So that was, my analogy that seemed to land. π
β π π π One time I was at a board meeting with some very important people, and I was rebuilding the information security program at the time. I had talked to the board of trustees about outsourcing information security, and the president of the company asked what does it mean to outsource?
How does that work? Why would we do that? And the thought was that we were in the business of scientific research at that time and, we still are, right? And we are not in the business of cybersecurity. So how can we expect to hire this huge cybersecurity team when we can outsource it to a company that does this 24 by seven, they are getting billions of data points from other customers worldwide.
For cyber attackers and and doing threat analysis, et cetera. And he said but how do we contact them? And I said, oh, we have a bat phone. And everybody just started laughing. And I said, no, seriously, we pick up the bat phone and we call them.
Or better yet, they're monitoring for us 24 by 7, so they call us. And and everyone in the board meeting just. that's where they had people that started howling and the president was like, okay, awesome. We get a bat phone. Alright. I, totally understand that. And, I went back to what is our business?
Are we in the business of cyber security? If we're not, should we really be investing this much there and that way? And I think there's a flip of, do you want to have a ton of people in a SOC doing this? Plus technology, or do you want to flip it and really invest in the technology and have some really amazing subject matter experts that are focusing on, the, program at large and working with the technologists that you're outsourcing to.
The bat π phone.
β π one of the π π questions I always have is good enough, okay, right? Just focus on good enough. And what I always tell everybody is, while good enough, okay, if you look at it from a sports analogy, We have to play in a Super Bowl every day when it comes to the threat actors. They're bringing their best, their brightest.
They've got all pro stars coming at us. And if we're just putting a high school football team together, while we might have a great high school quarterback and star athletes on that team, they're nowhere a match. To what we're seeing from the threat actor perspective. So they're continuing to increase.
So we need to do the same. So we need to just really start stepping up our game and really start learning how do we start playing the Superbowl, It's not based on industry, it's not based on this. It's coming back to is know your adversary and understand how you play against them and bring up that level.
Again, the focus for us is maximizing our investment to there. We're not going to be able to spend everything. I understand that. So we're going to focus on where do we see it as our highest risks and address those.
So spending is going to be needed, right? Systemically, organizations haven't spent. That's why we're seeing Continually increasing attacks. So we need to start going back. We need to get better. We need to realize that our game is needing to be at a Super Bowl level and start building the team to focus on that.
That's the analogy I usually try to do to sell the budget and improve our capabilities amongst the organization. π
β π for me π π it's about making cyber security fun because you want people to invite you, to the table because they like you. You represent cyber security, so you're there to talk about cyber security, but they're really inviting you. So just to just to level set to, to understand the distinction, right?
So a lot of times we talk about how to get a seat at the table and it's we can talk about this breach or that breach or this regulation or that regulation or whatever, but that's not how people make decisions. If you, want to go hang out with somebody, are you going to hang out with the guy who likes to talk about cyber?
Or are you going to go hang out with the guy that you just enjoy being with? And that's what I want to create. So if you're likable and you happen to represent security, you're going to still be invited to the table, right? So what you want to do is you want to make it super fun.
And like a good example that I like to give is that I've done before, by the way, I'm not just making these up is sometimes you have a lunch meeting and , let's say you have Chinese food. So what I did was I actually had custom made fortune cookies that had like little inserts into the fortune cookie that I wrote.
And when they deliver them to you which fortune cookie has what message in it. And then, so using my magic skills, whatever, right? And I'm passing out the fortune cookies. I know everyone, which message they're getting. Now, imagine if. The CFO finishes their lunch, they open up the fortune cookie, and it says, Today's a great day to increase the cyber security budget.
It's just fun. Yeah. And that's the sort of thing that I like to do, right? You really just want to get invited to the table and because they like you , that's the halo effect, right? Then you can talk about the other things that are important.
They're much more receptive to it versus, Oh let's go talk about the cyber thing. No, let's just have a conversation. Let's see where it goes. And then we happen to be talking about cyber. Yeah. Relationships and connections are everything, right? And I think figuring out, I love that you have this sort of.
Custom message to everybody at the table. And that requires a lot of work to think about in advance, who are the people at the table and what's the message that they're going to receive best. And then also, like you said, I think that the general relationship part of this is incredibly important.
Yeah, no, that's right. And the tactical stuff, not to get too far off topic, is super important too, because you got to make sure that the fortune cookie is good. And so you got to order it first, see if it's any good.
β π π All right, π π so risk based prioritization in the cybersecurity program. I was asked this question, please explain it to me. I have no context for it. And of course, the first thing that came to mind was it's like a bar fight. And Now let me set the scene for you. You're minding your own business at the bar with your soda and lime after work, and a Hollywood style bar fight breaks out.
You want to get safely to the door, but across the room there is a lot going on between you and where you need to be. So here's some of the players. So right next to you is this 85 year old woman that has somehow deployed a steak knife and is looking at you like you're a steak. The talls and the shorts, they're off to the left.
And there's lots of in chairs, involved in that conversation. Some are standing on them, some are swinging them. Outlaw bikers, of course, they're in the room. They're over there near the pool tables. They're already using pool cues as weapons. Pretty sure that part of the room is going to escalate to a knife fight or a gunfight before things are over.
And and right in front of you you've got the drunk fraternity bros. They've created a chaotic mosh pit directly in front of you. Finally, there's a crowd behind you on their phones over there. Some recording the scene, some texting each other with very angry emojis.
So here you go. So your decision. Now you can't. Or at least you shouldn't try to take on the whole room at once. You need to be very clear on your objective, focus on that and get present, really understand the current state of things, the target state, the gap between the two and your plan to bridge that.
So with that in mind you need to prioritize the risks and deal with them accordingly. So number one, stabby grandma is probably not the biggest risk in the room, but she is the first priority as she is the closest and most potentially damaging at the moment. You would never thought she was a threat, turns out she is.
Think zero days, these things just pop out of nowhere. You never even considered them. So number two, you probably don't need to worry about the InstaTalk crowd as the threat's active, but the impact's not. Really low. They're just going to complain. They're not really going to do anything. So think things like primarily reputational harm, things like that happens.
So number three, the talls and the shorts they're really going to keep to themselves. The this won't be the last time they're arguing and this won't be the last time they've had this particular fight. They were already angry and they're gonna be angry afterwards. Okay. You just need to keep yourself out of the direct line of fire with that group.
So these are things like. Known inside actors. Known areas of conflict, known threat actors, it's containable and you can plan around it. It's always going to be there, but you can identify, Hey, the talls and the shorts, they're going to interact this way. You can be able to contain it. So number four the frat bro mosh pit that's just random chaos, right?
That's, what you ever have to deal with, right? What's in front of you. Right then and there. So the danger and the risk isn't directed at anyone in particular, and the intent to cause specific harm isn't really present, but the danger is real and it's going to be easy to get caught off guard if you're not paying attention.
So think about things like the day to day security operations that can be understood and need to be addressed on a case by case basis. And even though in the aggregate seems large. The specific risks aren't that big. So you're taking care of these things on a case by case basis. Now, number five are outlaw bikers.
They're probably the biggest risk in the room, but they're also the ones with very specific reasons for being there. They fight who they fight for those reasons. They can cause a lot of direct and collateral damage, so you need to be very careful when you get to that part of the room. Prepare for it as best as you can, but if you can wait for the cops to get there, Do that.
This is a phone a friend, bring a friend. These are things like nation state actors, organized criminals, and APTs that are actively engaged in your organization. Recap. Bar fight, you gotta get out. Know the results you want. Identify and address the specific risks between you and the results. And do that with a priority and the right action.
Never try and take on all at the same time or with the same solution. That's gonna get you taken out by a stabby grandma. π
β π π π storytelling oftentimes going to the board, it's more than just showing numbers saying we're high risk we're a blank out of 10, we're this out of five, or this on the NIST scale, it's really important to relating to people, especially in healthcare, where you have a lot of providers, a lot of people that necessarily need Didn't start with cybersecurity background.
I know that's dynamics definitely changed over the years that everybody knows about cybersecurity and oftentimes that's what still keeps a lot of the CEOs up at night. So over the years, I've definitely had some creative ways of portraying what we're doing on the cybersecurity side from explaining a CISO's role of, watching the beach as the lifeguard to explaining using the car example.
I know a lot of people use. The core example of lane correct, the airbags and everything to protect the user being the data, the driver. But really, probably my all time favorite was sharing the movie Home Alone. Home Alone popular Christmas movie for everybody, explaining that a lot of our approach to cybersecurity, the adaptive defense in depth is a lot like Kevin keeping the wet bandits out.
As you're thinking about the part of the movie where he's setting up having his mac and cheese and everything to get ready for the bad actors to come. Not all of us have that privilege of having you know the time to prepare for that but it's really telling to explain that he puts the Christmas ornaments outside of the window, the hot iron on the door.
Sprays down the thing to put ice on the stairs. All of that me explaining that to our executive team and other leaders saying that this is, again really our approach to security, that it's not going to be just one silver bullet, it's not going to be one single thing.
It's going to be these multiple events to really keep the bad guys out. And ultimately. Kevin got nabbed at the end, but then got saved at the end. So that's really important to say no matter what you do, there's still the bad guys can get in. So it's not if, it's when, and then how you're going to prepare to have the guy across the street with the shovel to come in and do their recovery.
Some pretty cool ways to explain that. You gotta, I really like to use various movies and so I like to stay up on my Netflix in case there's something to replace that example moving forward, but really great to keep things fun and to better explain cybersecurity and what your team's doing behind the scenes. π
π β π Man, that was fun. I love the stories. People are very giving in their willingness to be vulnerable and tell these stories. And some of them are really funny and some of them are really just they crack me up. What do you think? I thought they were, I thought they were amazing.
I, I love learning. from others, and I felt like I learned so much from those clips. We think about ourselves, I think, often as being, technical people or technically oriented, and we're in these dry technical jobs. But clearly, there's a massive amount of creativity that goes into doing some of this work.
And it shows when people have. figured out how to tell those kind of stories, create those kind of analogies to help relate these hard to understand complicated technical issues. π Yeah, and I think that was π the theme throughout them for me was that word relatability of you have to be relatable and Storytelling has really been how every one of them and us, I think, as CISOs have had to learn how to do that because it's certainly not through a great dashboard of CISA metrics or or, CSF metrics or whatever we're using.
That is, that's not winning us in the relatability category, I don't think. , so everybody knows Shana, right?
Shana Hofer from St. Luke's Boise. I'm really, I'm glad you're here. This is going to maybe be a routine. This is the other part of it is I still haven't quite completely figured out what UnHack (the podcast) is going to be.. I'm glad you're here again. Cause you were with me last time. And I think this is a good we got a good little wrap up here. So the stories. From, Brian Kare and Jason Elrod and Kathy Alexion Nate Couture Stephen Ramirez, Gary Chan.
Did any of them strike you as your favorite or your couple of favorites? Not to put anybody on the spot, but was there a couple of them that really tickled your heart? It's hard to choose because I thought they were great. Every one of them I took away with, I love this, right?
For example, I have never, I've never thought of Home Alone as a cybersecurity analogy and it's, genius, right? Because everyone has seen it. And when you think about the comparison of layered defenses, and it was, it I loved, I love that. Also, I love Stephen's point of, I need to keep watching movies so that I have new content.
I'm like, that's a great excuse to continue to watch movies. I love movies. I loved Mae's boxing analogy. I thought that was wonderful, but I think Gary wins for me in level of effort because The, amount of time and just care that he had to have put in to the fortune cookies, that's impressive. And what a creative idea.
And, funny, right? I just, I would imagine the CFO opening one that says give, a little extra cyber budget today. Just had to put a smile on his or her face. What a great idea. Today would be the perfect day to give, to put more money into the cybersecurity budget. This is the other thing too about Gary.
I don't know if you do, you know him? I don't know Gary, but I want to know Gary. He Gary is also a mentalist, right? He's a magician, and he's not just like a run of the mill, like some guy doing a card trick.
He's like world class, like people hire him to come and do presentations at their conferences. So he's like a big deal. And he's really funny and fun. And a lot of it is because that whole thing that he does he's as passionate about that as he's passionate about being a CISO.
So he's, it's I'm not surprised when I heard the cookie story. I was like, Sounds exactly like something you would do. What I thought, and again he, said it, and I, it's something that I have, felt in the later part of my CISO career, but I don't think I, I really understood it early on.
And it, the point was that you have to be likable first. Yeah, you need to be a subject matter expert, but first they need to like you. And I think hearing him say it the way that he did I just, really related to, because it's part of that building trust. And I thought that was great. Don't you think that's true for most things though?
Like people want to work with you or they, need, they know they need to work with you or, if you're on the sales side of the house People probably need to buy what it is that you're selling, but there's, another thing that has to happen before that actually works. And that if we have to like each other, we, I have to figure out like, is, are you a person that like I can get along with that?
I can trust that. I know you either have my back when something doesn't go exactly. Sure. I, yes, I think that is true, but it makes me wonder if it's always been true for the CISO role, or earlier in the CISO role, might people have been willing to hire just somebody who knew something about it.
because maybe there weren't as many CISO options and maybe that added to the churn of short tenure perhaps? I'm, totally guessing and I don't know that's it, but I think about, many of the CISOs that I know and the trust that they've built in their organizations and how today those organizations don't want to see them leave, right?
A breach happens, right? We got, we have your back mindset now it seems like today then it maybe it didn't feel like it used to be there. Yeah. You guys have really come a long way and I think it's just the evolution of cybersecurity and healthcare too where it used to I think years ago was thought about as a separate thing in a separate department and those people do their thing and that doesn't have anything to do with me and today everything's connected to everything else and cybersecurity is everything that we do.
Just by the change breach, by the anything that you see happening today. It has this massive effect on healthcare operations and research. If you have a research institute, it messes with the foundation. If you're doing fundraising, it just, yeah, big cascade effect. Yeah. I was thinking about Stephen Ramirez too.
So I don't know if you've ever seen this picture of Stephen Ramirez at an All Hands, and he's making a presentation about spam, and he's wearing a big spam can outfit. So I'm going to have to find that picture now and make sure that we put that out in the community so everybody sees it. But it's a funny thing because he told that great story and then we were talking and you don't see this in the clip, but.
I brought up the scan the Pam, the scan, the spam can photo. And he was like, yeah, you wouldn't believe how many people still every year ask me are you going to wear the, are you going to wear the outfit? Again, crazy crazy, great sense of humor. And then you mentioned Nate and the the boxing analogy, and I can tell you sense Nate.
told me the story about the boxing analogy, and this has really only been like maybe five days ago. I've probably used that story four or five times when I've been talking to folks and especially around resilience and talking about why so how do we get there and what does that mean and how do you talk to people about it?
I'm like, I got a great story from a buddy of mine and everybody gets it at the end. Like you're going to get knocked down and you got to get back up as quickly as possible because. Everybody's counting on you to win the fight. And isn't that what's so great about you sharing these on this forum and really what ties back to the 229 community is the ability to share things that the rest of us can benefit from.
That's, I thought I haven't used it yet, but I, my thought was I am going to use it. And speaking of Nate, when we talk about my story. My story comes from Nate. I when I went to the board recently, I wanted to tell real stories, right? And I wanted them to be relatable. And so I started with, let me tell you a story, a true story about a mom who went on vacation and on her vacation, her daughter called her and needed help with a rental application.
And doesn't this sound familiar? It came from Nate at Vermont and Of course didn't mention the employee's name, but being able to start that conversation with, are any of you parents? Can you relate to a parent wanting to help their child? And also, Hey, this one parent is a really dedicated employee because they brought their laptop on vacation just in case they needed to help and do a little extra work by the way, in the middle of the pandemic and any of us could have been in that position.
So for me, like being able to, borrow from others who've had these experiences to be able to communicate those is great. Part of how I like to tell stories too. Yeah, how did that go over? It went great I just tied it, throughout the presentation, and part of the point I was trying to make is that was four years ago, and while a lot has changed since then, Almost nothing's changed since then at the same time.
And so looking at it through that lens of we use the understanding of what's changed and what hasn't changed to help us prioritize our work and making sure that we're focusing on the right things. And so being able to weave that kind of throughout, I think was really helpful. Yeah, a lot of this does come back to the, you're sitting in a room especially a board room, or you're sitting in any room that you're in, and not everyone has the same frame of reference as you.
They don't have the same experience, they don't have the same background, so trying to find these things like, Yeah. Everyone in this room is a parent and they all could relate to their kids asking for help or everybody's seen Home Alone and so everybody can relate, right? Like how do you find the thing?
That really is the key to the operation to a lot of these analogies, whether they're sports analogies or Whatever they turn out to be. Yeah the, bat phone. That was great from Cathy too, right? Everyone knows what the bat phone is. So yeah, exactly right. Just being able to relate is really, I think the key that came out of this for me.
I want to hear Drex, what were your stories or what's the story that you shared? So that's a really good question. And I think what ultimately is going to happen here is that we're going to continue to collect these stories.
Because I'm so motivated now to find more of them because they're all so good. So I don't this there will be a part two and I think in part two I will tell one of my stories, but it's there's this there's too much goodness here to just stop with. Part one. So part two probably won't be the next episode of Unhack the Podcast, but we will do a future episode where we'll continue this conversation.
Geez, Drex, I love it. I do what I can. I'm really glad you were with me today. I appreciate it. I'll see you again next time, I hope. I'd love to be here. .
β π π That's a wrap for this episode of Unhack the Podcast. Do me a favor and and share this episode with your peers. And by the way, your feedback matters, so please subscribe and rate, leave a review wherever you listen to podcasts. π huge shout out to our sponsors Fortified Health and π CrowdStrike for supporting our mission to transform healthcare one connection at a time.
Find out more about their work at ThisWeekHealth. com slash Partners I'm your host, Drex DeFord. Thanks so much for spending some time with me today. And that's it for Unhack the Podcast. As always, stay a little paranoid and I will see you around campus.
β