This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

Introduction

Hi, I'm Drex DeFord, a recovering CIO from several large health systems and a longtime cyber advisor and strategist for some of the world's most innovative security companies. And now I'm president of This Week Health's 229 Cyber and Risk Community. And this is Unhack the Podcast, a mostly plain English, mostly non technical show about cybersecurity, and RISC, and the people in process and technology making healthcare more secure.

And now this episode of Unhack the Podcast.

I don't know if that will already have happened or will be in our past by the time this airs, but thanks for doing that. So good to see you. How you doing?

Good to see you doing great. So just getting through foot and a half of snow out here in Kentucky. So I know all the Reno people laugh at me cause that's a walk in the park for them, but you know, we, we just got through all of that.

So we're making it,

it's interesting. We live in this kind of new. Interesting world to write where you live in Kentucky, but you work in Reno and I know you go out on a regular basis and see the team and but that remote work model is, I mean, we're going to go all over the place to talk about a bunch of stuff, but that remote work model continues to be something that you all embrace.

Out there at Renown

Everything. So go, go, go that we have, you know, we all. You know, text with my CIO, my COO, you know, we're always doing teams that it's a very go, go, go society. So I think, you know, it's really good to have that level set, but there's some jobs that I feel makes more sense to be onsite. We have like a lot of our operational leaders there, obviously from a IT perspective, but yeah,

that

makes sense.

Yeah, I can stay out of the way a lot of time. So. Just help people get the work done and, you know, just do what I need to. And of course, with the, the time change be up a little earlier to get things kicked off for the team. So, yeah,

you have a really interesting role too, because I think.

you jokingly, I very seriously refer to you as a CISTO the chief information security officer and the chief technology officer all rolled into one. It didn't start that way. You want to tell a little bit about the story of how you wound up in this role and then you're making some additional changes now.

So tell us the whole story on that.

Stabilization start to modernize and optimize again. So when I started at Renown it's now my three year birthday. So I've officially made it right. That's great. Chuck in the Renown team for three years. So when I started, just was hired on as a CISO again to, you know, rebuild and, you know, really start to do a lot of that Chuck's always been a very cyber security conscious guy.

So,

yeah.

came in to do that. About a year and a half in there was an opportunity through a reorg that Chuck then knighted me the CISTO. So I took over security infrastructure, technology operations, service desk really, you know, soup to nuts on all of that. And it really made sense because again, as we were going through the stabilization point, you know, we weren't doing patching well, you know, there's a lot of security initiatives that actually were moving.

it's worked great. I've done been doing that role for about a year and a half. We put together a lot, you know, our strategic plan together internally for what we're going to execute on both, you know, inside out to make sure that, you know, really delivering to our patients, our community, and, everything is part of our strategic plan.

And there's so much growth in the technology side that and working with our CIO, Chuck, that we decided to branch off a VP of. Data center and network. So very niche on that, because we just did a refresh of our local data center. You know, we have a lot of managed service partners and just, technical debt out there that, you know, we're looking to consolidate, you know, as we go through our strategic plan.

So the service desk, desktop telehealth, operational support, because clinical teams own that. So there's a big play on security on the services that we've known. So that's, you know, a natural synergy on that. We're going to service now this year, like our own instance of that. So I would say a big project on that with some, automation potential.

So there's a lot of stuff I want to focus on from that front end tech. our cyber security road map, which I'm sure we'll we'll dive into as well. That it really made sense to bring in another leader to help support us. So really excited to do that. We're getting in our final stages of candidates for that.

So hopefully we'll have a selection by the time this is out.

All right, well, good luck with that. That idea of having somebody who's. Hyper focused in the back end on the back end about tech debt and what's the best process to consolidate and all of that. I love your thinking on that.

I used to think about, because I'm recovering CIO, everything was very CIO centric, right? I used to think about the CIO kind of being the, I've got my finger, in all the pies in the organization. That is definitely what's happening with you. All that going on, you're doing a bunch of work on identity right now. Tell me a little bit about that story.

It's been something I've always been personally passionate about, as you see a lot of these ransom events and cyber events, it's always, Zeroed in on some kind of improper access, external access, you know, MFAs, all of that.

You see his stats now to say like 90 percent of breaches start with an identity issue. So yeah.

So we do a ton of work with our MSP and internally to really put a plan together that we're starting actually the piloting of that right now. So more of empowering the SOC to action certain identity activities. So instead of Drex telling me, you know, as my SOC manager, that there's this thing going on over.

Here and there that's go kill that activity. So, you know, we're going to be very stringent on just like, you see it, take care of it, and then we'll get on regroup, you know, pretty quickly to do that. Cause I just saw I was at a conference last week and it's saying it takes 62 minutes for a threat actor to fully get that foothold in and out data out and everything.

So definitely have to give a shout out to, 229 that, you know, for a reference for some various tools that we've been looking at. So we're bringing in. Some zero trust tools, some advanced PAM tools, some, pretty cool technology this year that's going to really help operationalize just telling us something bad's going on, but more just actioning that.

So yeah,

So a lot of those tools are good process tools that help you clean up things and manage things and feel more comfortable that you have good processes, but it is the, you know, speed is everything. Right now, like from the time you detect something to the time that you shut it off or stop it or remediate it even as much as you can compress that down, because like you said, 62 minutes was talking to, our friends at CrowdStrike the other day and they were.

we're super excited. So it's like really pulling together a lot of. Different technologies, obviously from the end point, we all know, you know, EDR technologies, CrowdStrike Sentinel ones of the world are investing in that identity. So, I mean, that's.

Brilliant, because again, the more we can do on the end point before it gets to our no crown jewels and active directory and everything. So really that layered defense that we've always talked about throwing in a little deception as well. So we're looking at doing that as well. My whole reference is again, I'm a big reference guy.

Like can we drop a couple twenties outside the bank to slow the guy before he comes in? Because again, time is of the essence. So yeah. If you can

sandbox them out or something, get them interested in something, you know, honey pot them or whatever, and kind of get them interested in something else.

So this is really cutting edge stuff, bringing in a ton of telemetry, a ton of different stuff. So we've really leveraged. Really the phrase prepare, fortify, combat that's their mantra. So again, that's not Steven's mantra, but that's their mantra for how we're going to tackle a lot of this pieces.

So how can we be resilient as an organization, with. Immutable backups, you know, architecture, that's where it helps being the CTO as well, you know, and a lot of what we had put together for, our strategy and, look forward to partnering with our new leader that comes in as well

for

that as well.

But we've really narrowed it down to alerting, prevention, blocking, isolation, and then recovery resilience. So that's what Chuck and I are just trying to, again, make that down because I'm from an education standpoint, awareness. metric standpoint, again, that it makes it easier instead of us trying to do, like the performance goals were great.

What this is specifically giving examples.

Yeah, that's awesome. And I mean, it rolls right into my next question, which is as you, because obviously you're making a ton of investments and you're spending a lot of money, but you're also doing a lot of simplification in the same motion, right, to spend less money and make it easier to manage, how do you justify.

What you're doing to the board and other execs who may be largely non technical, but you still have to kind of help them understand the investment. What's your secret?

Well, I've been lucky at all the organizations I've been at to have a very security conscious. Leadership team and CIO as well.

And it, it makes my job easy. So it's like, we're just very tasteful and tactful and what metrics we give to like our executive leadership and then the board. So at Renown, we have a governance process. So all the CEOs direct reports Chuck presents. Anything it related through an SBAR process, so,

Hmm,

great.

I put together a security sbar and our thought process is always, instead of just doing a year, we need to show the bigger picture on, you know, where we are today from a maturity and where we're going over the next three years. So he takes that up through President's Council and helps, secure funding and then I take it on a.

Through our committee structure. So we have operational compliance, our governance, risk and compliance audit and compliance steering committee of the board and all of that. So , that's a quarterly basis, GRCs monthly, and we go through and again, give metrics, give data what's going on on the news, what's Renown doing to do this.

So just stuff like that on, on educating, but I've always been lucky. It's not been, obviously can't go crazy, but ROI perspective. It's been fairly easy to just justify the what and the why with just continuing deliver value on keeping us out of the paper. I think it's the biggest thing on delivering on our mission that our executives know that this threat isn't going away.

You know, we have an internal risk process that cyber security is always. Ranked the number one organizational risk. You know, they see it through cybersecurity insurance. We've obviously, you know, but on the downtrend on that, just on our investments on that, so it's, you know, kind of those soft costs that we can impact with what we do.

Your investments in your

Correct.

All right. And then

it's, you know, it's always a question, you know, when we do bond rating and stuff like that to have a packet.

So

huge

having that ready for our, financial team, if they ever need it. And then accreditations, Beginning of the year, we're going to get all of our specialty pharmacy, all that other stuff. So it's always important to have that have a lot of this different pieces in place that the regulatory landscapes always, , can be hot or cold, depending on who's in Capitol Hill, as we're seeing on regulation, but really, again, what we've always said is that our primary focus is our operational continuity.

That's why we make investments in our program. The secondary is again, class action lawsuits. As soon as something happens, you're going to have those lawyers after you. And then obviously the regulatory side, very important. So, three people that are going to be on your back almost instantaneously as that happens.

So it's very easy to say, this is where we're going. And cyber being like a imperative to really support all of that, especially the investments in technology. So they get it. So it's been easy to just, get the ROI just to, you know, show the value that we're doing on protecting the organization,

and training and awareness. So

You make it sound easy. It's not very easy. There's actually a ton of work. I know that goes into what you do to make it to the folks that you have to move into your camp. Executives and board. There's a lot of work that you have to do to figure out how to speak their language and help them understand and not make them feel dumb too.

all of that stuff or in anything else, what's your favorite metric? What's the thing that , you track you know, closely.

Well, phishisng was always one of our favorite. We went to a great. New tool. It's like the CrowdStrike of phishing. So it's always cool to show the level of that on who the top target is.

Like almost can be a competition when, you know, we're sharing it to that. Oh, look at our CEO was most targeted. Now this time it was our CMO. So they love to kind of see that data, but also thwarted attacks. You know, there's a lot of information we can get out of EDR. I think we've done a great job in vulnerability management.

So not a lot of organizations have that dissent it's more. We're leaving the airport. So we've done a great job on that. So I really think that they love seeing that as well. But that's great question as well. Because this year, that's one of my goals with Chuck actually to put together a meaningful dashboard of that because that's so hard.

Our compliance, of course, risk management, and then the resiliency. piece. So I'm going to really try to get some key metrics to that on like endpoints, you know, systems that we've done DR for, you know, et cetera, really see go, it's probably going to be a few iterations on, does this make sense to you?

Does this make sense for this level? So really excited to start to dive into that with a lot of the data we have. Nice.

It takes me on another route to, when you talk about resilience, I know we talk about it. The technology stuff that we're running resilience, but then there's all the business continuity stuff Are you responsible for business continuity there too, or I'm not sure responsible is the right word But

Renown's great on that.

So, you know, obviously we know like epics are core. EMR, radiology, all of those systems. So have those thresholds from BIAs on ensuring system uptime, but our emergency management group does a very good job of that. So with a lot of the technology changes that I spoke to, we partner with them. Our downtime planning is amazing.

So like we go through and we go through, it's almost like many incident commands. that we do for every little event. If it's like a closet refresh, if it's a core upgrade. So they do a great job of really taking that by the horns using the HIC structure. So again, that they know it's going to be something

that

interrupts that pulling in our nurse manager, you know, our executives on call.

That is one of the hardest things I think for a lot of organizations right now is the business continuity, that practice during day shift, that kind of understanding that the plan to be out for,

an hour is not the same plan that you have if it turns out that you're going to be down for 30 days. And what do you do? And it's sort of thinking about all that because they're all busy. Everyone's busy. And so taking time to do that takes a special effort. Speaking of being busy We're all pretty busy when you get unfocused or you feel overwhelmed.

This is a personal question. What do you do to kind of hit the reset button? What's your process?

Well, when it's not 20 degrees outside, you can ask my team that sometimes they'll just hear me walking. I'll take my dog for a quick walk. If it's just a one on one with like my manager of cybersecurity or it's a my contract manager, you know, various team members, that it's just more of those one to one things anyway.

been running a ton.

Yeah. I have my little Peloton right over here. Thanks. I don't know if she's trying to tell me something. So

mine's right over there. What is your Peloton? What's one of your, what's your favorite thing? What just in general, what's your favorite thing?

I love the 20 minute. runs because you can go a little bit faster.

I ran track back in high school. Let's see, never made it to the pros, but you know, still very passionate about that. So the 20 to 30 minute classes really just love those. Cause it helps like motivate you versus you just doing a run on yourself. You could cheat. So it's like very competitive. So if I see, Oh, Drex, Drex or Wes are right ahead of you on this board.

Man, I got to step it up. So yeah, I love it.

You don't have to have cyber security experience to be successful in cyber security.

I think as an industry and that's something, , with our partnership with you and our that really something I'm trying to look at if we can do better is getting in more interns so people can kind of see where their niche is. Yeah, because there's so much to do it when you say cyber security that can be GRC, that can be resiliency that we've talked about security operations.

So it's like really understanding, do you want to be the guy at the keyboard? Do you want to be the guy that's, creating the metrics or do you want to be somebody that's like really doing some of that resiliency planning? So I think having that it's easy to jump into, it's a very evolving.

Like. Think of somebody and even cyber is not a terrible

idea, right?

So it's like his whole premise on that. And he runs one of the better training and awareness programs anyway. So it's, and I think that's all at that core, like stuff that's entertaining and that makes sense to the non technical opportunities like that.

Or I think an accountant would do a good job at forensics I think that we need to do a better job of just instead of blanketing cyber security going out and just having discussions and people should never feel like they're not qualified because there's always a job that somebody's done that can be valuable to cyber security.

So.

I've talked about this before. Some of the best people I've ever hired into project management are bartenders, right? Like they were bartenders in college, or they've been bartenders as a side hustle or something, because you got to manage money and talk to people and, and juggle 50 things at the same time.

We're asked to do a lot of things and help with a lot of things. And we always say yes. As I've gotten older, I've, I say no to more and more things because I think I've started to understand that, I build in a system that starts to overwhelm, you know, anything that I can do.

Well, I guess it's a double edged sword.

I think you guys do a great job of that. , just in the things that you guys set up. But yeah, just. Not trying to do too much to just burn yourself out. So even on the personal side, something that might seem like it's fun balance, especially now being married, I've got to remember that I've got to cut down more on, you know, my job is already, it takes nine to 10 hours a day.

So I don't want to, got to make sure that I keep the wife in mind either to an event I can bring her to, or just not say yes to as many, we're going to be super busy this year a lot with, we detailed we're doing anyway. So, and also just saying focus not trying to. Let anything deter what we're doing.

We have our plan that stick to it. So staying away from the shiny brand objects.

And they're trying to figure out ways to like. Do a little black operation or something and, you know, get the thing going. And so you sort of have to actively say no to those things. Yeah, thanks. That's A good diatribe on some of the things that you're doing to give yourself some time back.

Hey, thanks for being on the show today. It's always fun to hang out with you. I'll see you in person here shortly again. show probably air for a while, but we'll probably am already hung out by then, but I'll definitely see at the big show the big conferences. And yeah, I really appreciate you being on.

Of course. Thank you. Good to see you.