There’s a question every CISO should ask before buying a single tool or hiring a single person – and most never do: What do you want to leave behind?
It’s the question that has guided Jack Kufahl for the past decade as CISO at Michigan Medicine, and it shapes everything from how he structures his team to how he evaluates vendors to how he thinks about vulnerability management. It’s also the question that Greg Garneau posed when he walked into Hospital Sisters Health System two years ago, tasked with building a program from the ground up. During a recent Unhack the Podcast, Kufahl and Garneau spoke with Drex DeFord about the credentials they value most in the hiring process, the keys to a strategic vendor relationship, and the flaw with vulnerability scanners.
Jack Kufahl
When Kufahl joined Michigan Medicine 10 years ago, he started to notice some patterns among his CISO peers: turnover was rampant, tenures were short, and when they left, either the program fell apart, or they took their best people with them. Being an inaugural CISO presented an opportunity to change the narrative, which meant taking a hard look at what was working, and what was not.
“Before you start buying stuff and hiring people, spare a few moments to think about what you are uniquely positioned for,” he said. “Vendors change, people come and go, bosses come and go, and department names change. I didn’t want to build something just to have whoever came in next say, ‘Well, that last guy didn’t know what he was doing, so we had to go back to square one.’”
It was a very different experience for Garneau, who came to HSHS following an incident and was tasked with building a “world-class cyber organization.” Fortunately, it came with full support from leadership, which was needed to turn a “rudderless ship” into an effectively-lead team. Two years later, the organization is in a far better place security-wise. “What we’ve accomplished is nothing short of extraordinary,” he said. “But it’s not done. You have to work with your partners in the business. You have to work with IT. But you also need the staff who want to support this mission.”
That’s where it gets complicated, according to Kufahl, who believes the problem isn’t a shortage of cybersecurity talent, but rather, how that talent is being channeled. “There are a lot of extraordinary people available, from both a behavior and a skillset point of view,” he said. “And if you try to take extraordinary people and then put them into ordinary containers, that will reduce the opportunity for variety.”
His strategy to look beyond the resume and focus more on disposition has led to the hiring of nontraditional candidates such as former hospital administrators, teachers, and professionals from the gaming and gambling industries. The commonality he looks for? Curiosity. “Cybersecurity is not fixed, which means we’re in a constant learning pattern,” he explained, adding that thirst for knowledge is paramount, particularly in a field marked by so much unpredictability. “That’s what keeps people.”
Greg Garneau
Garneau added that the opposite dynamic – placing smart people in unchallenging work – carries real costs. When smart people are in situations where they’re “just mailing it in and checking a box every day, the disengagement over time” can take a toll and prevent them from contributing to the organization.
To that end, both Garneau and Kufahl rotate staff across different areas of security, which has resulted in improved engagement. When leaders prioritize continued professional training, “everybody wins,” Kufahl noted. “The tools are used better, the talent is used better, and you’re a better boss for it.”
When it comes to vendor partnerships, engagement is also a critical component – much more so than the numbers on an invoice. “Some of our biggest bills are from some of our least strategic vendors,” he said. What he values most is “stakeholdership in how well our team is doing and how well their products are working.”
Kufahl described drawing a mental line through his OPEX ledger dividing vendors into two groups: those who are in the trenches with his team, and those with whom the arrangement is mostly transactional.
Garneau concurred, comparing relationships with the wrong vendors to dealing with used car salespeople. The right partners, by contrast, will invest in helping teams get better – not just at using the product, but at doing their jobs.
That upskilling component matters quite a bit, said Kufahl, citing data from the ISC2 Cybersecurity Workforce Study which found that one of the top drivers of burnout is not having enough time to learn the tools. True partners, he added, are working to close that gap. “More and more vendors are stepping up and saying, ‘Thank you for buying it, but we actually want you to use it better.’”
What doesn’t work, according to Kufahl, is vulnerability management. In fact, he called it “dumb” during discussion, adding, “It doesn’t work. There are too many vulnerabilities. It’s an exercise in integrating with your CMDB (Configuration Management Database).”
To be clear, he isn’t suggesting organizations should stop scanning. Instead, he advised letting the scanner assist with prioritization.
“Get a sticky note,” Kufahl noted. “Figure out how many hours and how many people you’re putting into vulnerability scanning. Then, be honest with yourself: how many of those people are actually pushing tickets and just trying to make the ticketing system work?” He also urged leaders to “start thinking about how you could redeploy that effort toward taking whatever the vulnerability scanner puts out and running it through a threat interface.”
The alternative is exposure management, a threat-driven model that focuses not on the CVSS score, but whether a vulnerability can be exploited in your environment, and whether threat actors are actively using it.
What organizations don’t want to do, noted Garneau, is “play whack-a-mole with the highest vulnerability,” he noted. “Are those really exploitable? Are they a KEV? Do they run at run-time? Those are the ones you go after.”
When teams are able to accomplish that, they’ll achieve benefits beyond security outcomes, he said, adding that when HSHS shifted to this model, the number of IT and security staff consumed by patching exercises dropped, freeing capacity for higher-value work.
It can also improve the dynamic with IT partners, which has been the case for Michigan Medicine. “Every time we’ve gone to another IT team with a threat – and we’ve explained our model – there has been zero friction,” he said. “More times than not, they come back and say, ‘we know it’s a problem, and we could really use your help.’”
His message to CISOs at any organization, regardless of size and resources, is to continue to advocate for threat intelligence. “Everybody should be looking at it. If you’ve got five dollars, put a dollar towards threat intel.”
Doing so will not only benefit the organization now, but also in the future, as it will help establish a culture of cybersecurity. “You don’t often get chances to shape the wet clay,” said Kufahl.
This is one he hopes the industry will continue to seize. “We’re all trying to figure this out.”
Questions about the Podcast?
Contact us with any questions, requests, or comments about the show. We love hearing your feedback.
© Copyright 2024 Health Lyrics All rights reserved
