One of Chase Franzen’s favorite quotes goes back to his days as a Taekwondo student: “Good is never good enough.”

At first glance it may seem defeatist; but in fact, the phrase refers to the constant pursuit of self-improvement – which he believes is quite apt for CISOs in the current healthcare landscape. 

“It’s the idea of perpetually moving forward, getting better, and never being complacent,” said Franzen. At Sharp HealthCare, that means not just keeping the staff educated on the latest security threats, but doing so in innovative and “fun” ways.

During a recent Unhack the Podcast, he spoke with Drex DeFord about the “different approach” his team has adopted when it comes to boosting cyber-hygiene, the need to tailor education to fit users’ needs, and the key components of their AI governance strategy.

Best practice: Targeted training

Chase Franzen

For cybersecurity and IT leaders, one of the most significant hurdles is getting the message out in a way that resonates. “We can teach anyone about safe cybersecurity practices,” he noted. “The difficult part is, how do we appeal to people? How do we meet them where they are and make it applicable to them in their daily lives?”

Doing so requires a solid understanding of human behavior, which is why Sharp brought on Peter Lopez-Perez, a licensed therapist. In his role as Cybersecurity Engagement Specialist, Lopez-Perez collaborates with other departments to help deliver awareness training, manage incident response plans, and stay informed about emerging threats.

“We’re taking a unique approach,” said Franzen. Instead of trying to “shove technology words and concepts down peoples’ throats, we’re meeting folks where they are through targeted training.”

Best practice: Go to the source

How? One way is to go right to the source, which entails sending out queries to leaders, asking questions like: “what are you seeing about AI and cybersecurity that are confusing, interesting, or scary? What can cybersecurity do to help?” he noted. “Do you want us to come to your groups, to your huddles, to your staff meetings and tailor education around these topics?”

The response has been “phenomenal,” Franzen noted, because his team isn’t just asking critical questions: “We actually do it. We’re not coming with the same stuff we’ve regurgitated a million times.”

To help lessen the load on cybersecurity, Sharp has established an ambassador program which includes monthly educational sessions focused on specific areas. The most successful to date was a session on the importance of cyberhygiene at home, where attendees learned how to avoid common scams. The idea, according to Franzen, is that those behaviors would be applied at work as well as at home. 

Other popular programs have centered around topics like spotting deep fakes, or demonstrating how scams are constructed. “We showed how a cyberattacker does open-source intelligence and crafts a phishing email, including how they spoof email addresses,” he said. “From a non-technical perspective, we pull back the curtain and show how it’s done.”

What makes the programs so valuable, however, are the takeaways. “It starts a conversation, and we end it by saying, ‘these are the salient points we want you to take to your team.”

Best Practice: Prioritize governance

An aspect that’s becoming a big concern, both for staff and leaders, is the use of GenAI in cybersecurity. Although tools like ChatGPT can offer “a world of benefit” by increasing visibility into nefarious activities, there are still serious concerns around the lack of guardrails.

“I go back and forth,” Franzen stated. “I’m super excited about the potential, but at the same time, I’m fearful of the ethical implications. I’m worried that healthcare in general doesn’t have effective oversight and discipline.”

Additionally, there are concerns around power consumption and finances, to name a few. “It’s really expensive. Are we recognizing the full cost of creation and ownership?”

And it’s not just the cost aspect, although that is significant. The technology itself is evolving rapidly. “Every day there are new capabilities, new LLMs, new agentic features. Trying to wrap your arms around it is challenging,” he said. 

To that end, Sharp has created a multidisciplinary committee that examines AI solutions from a “true, complete cost perspective,” while also carefully examining the vendors. “Is this someone we want to do business with in these critical areas?” he said. “Are they doing AI correctly? Are they ethical?”

At an organization like Sharp, which is tracking more than 100 AI applications, these "philosophical conversations” have become critical, and will continue to grow in importance. For cybersecurity professionals, it means being willing to keep widening the scope and staying abreast of the ongoing changes in the industry.

And, of course, continuing to chase the “good.”