“People make decisions based on emotions; not based on reason.”
It’s one of the most important lessons Gary Chan has learned during his career, which includes experience not just leading security teams, but evaluating startups, architecting anti-fraud systems for state agencies, and a “side hustle” as a security mentalist.
The key to a solid cybersecurity strategy, he has learned, isn’t in offering the shiniest, most cutting-edge solutions, but rather, understanding why certain tools are used over others, and what steps leaders can take to drive adoption, and consequently, boost data security.
Gary Chan
During a recent Keynote with Sarah Richardson, Chan – who serves as AVP and CISO at SSM Healthcare – outlined some of the nontraditional methodologies his team is leveraging place at SSM Health, where he serves as AVP and CISO, and shared best practices for establishing trust.
One thing is for certain: “It’s about the people – they’re the weakest link, but they can also be your strongest, he said.” So how can leaders gain their support?
It starts with building trust, which isn’t easy in a multi-state system like SMH where people don’t see each other on a regular basis – or at all, in some cases. “The biggest challenge is making sure people know you and trust you, because security is about trust,” he said.
The best way to do that? By hitting the road and meeting users in person. “Getting out in front of folks makes a difference,” noted Chan, who urged leaders to attend group meetings and sit with staff at lunch.
Another recommendation is to be as responsive as possible, making sure to return phone calls and emails from folks seeking guidance. “Building that level of trust is really important,” he said.
It starts, as is often the case, with communication, particularly when it comes to new security policies. “We try to message it in a way that the end user might want, and make it sort of fun,” Chan noted. For example, when SSM changed the password requirement from eight characters to 12, they didn’t just rely on emails. Instead, they designed mugs that conveyed the message in a lighthearted manner, and distributed them to team leads.
“People get so many emails – they probably just delete them,” he said. However, if they receive a mug with an insert telling them what’s happening and when, they’re far more likely to communicate the message to their teams. And those individuals, even more importantly, are more likely to take action.
“We didn’t have any complaints,” Chan noted of the password request, one that’s often met with resistance. In fact, his team has received cards thanking them for the security awareness training. To him, it’s the ultimate validation that they’re hitting the right marks. “If you purchase technology for your team and every day that's the first thing they open, that was probably a really good investment,” he stated. “The technology is here to support people. People are not here to support technology.”
Of course, what works with IT employees doesn’t always work with those on the provider side, Chan said. To that end, his team utilizes a different approach with physicians. Instead of harping on the patient safety angle – which can become white noise over time – they’ll frame out a scenario in which a bad actor uses a stolen password to prescribe drugs inappropriately (or even illegally).
“We ask, ‘what if someone accidentally uses your login in order to write notes that are inappropriate and that you would not have wanted?’ That’s personal,” he said. “Now you're ruining their brand. We try to make it personal and take advantage of what’s most important to people.”
And then there’s another option – one that speaks to audiences of different ages and occupations and has made Chan a sought-after speaker at conferences and corporate events: gamification.
“I try to gamify a lot of the things that I do, because when people engage rather than just sit and watch or read something, they're much more likely to remember it,” he said. In this case, however, the games are psychological in nature, leveraging verbal suggestion, behavioral patterns, and visual cues to influence perceptions and reactions.
And while it’s certainly entertaining to watch a mentalist “win over” the crowd by guessing correct answers, it also has a more practical purpose: establishing trust. “It’s about the impact it can have,” he said. “That’s what I’m trying to do.”
At SSM’s annual conference, when he presented at the request of his CEO, that’s precisely what happened. “Not only did people come up to me during the event, but they would email me a year and a half later to tell me about security issues because they knew who I was,” Chan said. “I’m 100 percent certain that if I wasn't up on the stage, they wouldn't have known who I was and told me – they probably wouldn't have told anybody.”
It’s a frightening concept, particularly given the increasing prevalence of cybersecurity threats. And “it’s going to get a lot scarier because now we have Generative AI,” he noted. Not only can AI help people speak better English, but “it gives you really good ideas on how you can trick people.”
A prime example is Netflix, which employs an algorithm to recommend shows based on preferences and past history. “Your best friend may know you really well, but the computer knows you even better,” he said. “They’ve got a bigger catalog. They’ve got more data. They also have millions of people using it, and so Netflix is going to be much better at predicting what you like.”
And while that type of power is useful when it comes to setting preferences, it can do a great deal of damage if it falls into the wrong hands. “People can use that and weaponize it, which is scary,” Chan noted. “I think it’s going to get much easier for hackers because they’re going to use these tools and it's going to get harder for us on the receiving end.”
© Copyright 2024 Health Lyrics All rights reserved
