Terry Ziemniak is an experienced healthcare CISO having served at PeaceHealth, Atrium, and Presence Health. He shares his research on the elements of a successful security program for Health IT.
Bill Russell: 00:00 welcome to this week in health. It influenced where we discussed the influence of technology on health with people who are making it happen. We were the fastest growing podcasts in the health it space. My name is Bill Russell. Recovering healthcare CIO and creator of this week in health it a set of podcasts and videos dedicated to the next generation of health it leaders. This podcast is brought to you by health lyrics. Have a struggling healthcare project. You need to go well, let's talk visit health lyrics.com to schedule your free consultation. If you're enjoying the show and you want to support our mission, develop the next generation of health leaders. There are five ways that you can do that. The first is you can share with a peer the second, uh, share it on social media. Third thing is you could hit our social accounts, linkedin, Twitter, youtube, and share our posts with others like them. All the other things that you do on social media. Fourth thing, Send feedback questions in guest recommendations to me, I'd love to, uh, keep expanding the number of people that we are a associated with and bringing into the community. And the fifth thing is you could subscribe to our newsletter on the, uh, on the homepage. Uh, speaking of New People today, we're joined by a Terry Ziemniak.
Terry Ziemniak: 01:18 Well, if you're my Polish grandmother, she would say Ziemniak, but it's become Americanized and now It's Ziemniak.
Bill Russell: 01:24 Ziemniak. Got It. He's the president of North wonders. Um, he was referred to me by a starbridge advisers, uh, do some work with them as well. Uh, you are a, a CSO that has done many stands across health care piece, South Carolina's health care now atrium, uh, presence health and others. Um, you know, well, I guess good morning. Welcome to the show.
Terry Ziemniak: 01:49 Hey, Good morning, Bill,
Bill Russell: 01:49 You know that the CSO is probably one of the hottest jobs in it right now. It's really, I, I, my understanding is it's really hard to find good CSOS. It's really hard to, um, get contracts, CSOS as well. What types of things have you been working on over the last year?
Terry Ziemniak: 02:05 Well, it's interesting. I'm working with a couple of partners to help address that problem. A lot of the smaller and mid size organizations, healthcare. Otherwise we're really struggling finding that CSO talents. So generally going to be an expensive person, um, who can help bridge the conversation between business and technology. There's not a lot of people that fit that space well and they're pretty expensive. So we're seeing more and more need for what we call fractional see silver virtual CSO. And um, more and more foru`ms are being developed where you can effectively rent a CSO to build a program, to build your strategy, to build your roadmap documents and get the buy in from the organization and effectively hand that off to the it organization. So, um, I, I think that's actually gonna be a trend going forward as these smaller midsize organizations have a need for that skill set.
Terry Ziemniak: 02:56 A security in those cases are typically handled by the manager or perhaps a security director who may or not may not have that skill set to really interact with, with the business organization, the business side. Because end of the day security is there to protect the business. If you don't have that, the interaction with communication with the business on security, you're going to go off tracks back and not get the support that it needs. So, um, these virtual CSOS are filling that role to help again build roadmap and strategies and have the conversations to align the two and then allow the in house security and it staff that execute those roadmaps.
Bill Russell: 03:34 Yeah. Fractional CSOS join the fractional chief marketing officers and other fractional, um, services that are out there, which, uh, I, you know, I could see it in this space. Whenever you have trouble finding really high quality talent and you have a, a significant need, those, uh, those kinds of services come into play. So for today we have, uh, you know, we try to keep these things to 30 minutes and we have so much to cover. We're going to cover one topic for our discussion today. And that's security. And one of the things I always find interesting is that the number of listeners, when I put security in the, uh, in the title of the podcast, the number of listeners is always lower than other topics. I think that speaks to, yeah, people are, they're struggling with security, they don't want to be reminded of it.
Bill Russell: 04:20 Um, but everyone recognizes that it's extremely important. So let, let's start, I'm going to start in a little bit of, uh, uh, let's, let's put ourselves in a boardroom. I'll play a board member, put my board member hat on and just throw a few questions that, uh, I've received in the past and board meetings and uh, yeah, just with someone with your expertise and experience, I'd love to get your background. So, uh, you know, the first question I think you might hear from a board member is, um, you know, the, they really only need to breach you once, they only need to get in. And once if they have one credential, they get in there on the network, they figure out a way to get to things. Um, you know, you're breached. They got, they have your data, they can get to your data. Uh, how can we not be shooting for 100% in this area because most CSOS would say, look, we just need to improve from, you know, 90% to 95 to 98 but that 2% leaves us vulnerable, doesn't it?
Terry Ziemniak: 05:19 It does. I think a couple of things kind of like that question you had there Bill. One is 100% really is not achievable. If somebody wants to have the resources and the time they're going to get in and to shoot for 100% is unrealistic, you're never going to get there and you're going to get, you're going to go bankrupt along the way. Um, I read an interesting article from the American Bar Association. They had guidance for a legal organizations and the summarize, their guidance is go and be pretty secure. You get the 85 90% done and then ensure the rest. It's really, even from Ada directly, they say don't shoot 100% because you're not going to get there. Um, companies are breached all the time. So there's the difference between a breach and then date theft. So, uh, viruses and phishing and bad links, bad things are happening in large organizations all the time.
Terry Ziemniak: 06:08 It's just kind of unavoidable in, that's the idea of defense in depth. You know, maybe they get into a user population or maybe they get into certain accounts or certain areas your network, but your, your crown jewels, if you've identified incorrectly, you have extra protections on those crown jewels. So just because of they're in, uh, perhaps they may not be able to find the data if they find the data, perhaps you don't have access to the data. If they have access to the data, perhaps they can exfiltrate the data. So you want to put those layers in place, assuming that they're going to occasionally get through the lower levels of your controls. Um, hopefully will get stuff before they get to the top layer and actually are able to take their crown jewels. But again, 100% is just not reasonable, um, with, with a realistic budget.
Terry Ziemniak: 06:50 Um, and I've always said we don't want to spend $1,000 on a million dollar problem and we don't want to spend $1 million on a thousand dollar problem. And that's where risk management comes from. Maybe a diverse management. How much do we want to spend? What are our priorities? Because you get them on a limited budget and security and probably still never be 100% secure.
Bill Russell: 07:09 Yeah. So three other quick questions I often get from board members. How do we know there isn't somebody's already in there actual actual trading data?
Terry Ziemniak: 07:19 Uh, well there's even that in itself is kind of a loaded question. When you talk about data, I think a lot of companies even don't have a full inventory of their data. You know, where is your day? Are we talking about bill's personal smartphone? Uh, his Gmail Account, the cloud, um, your network, your vendors and your partners, your data's all over the place.
Terry Ziemniak: 07:41 So I'm really, I think a lot of companies struggle with kinds of even where is the data for? The question is, is it being stolen within a certain network? It's certainly possible. There's, there's tools that do a good job detecting that. Um, but as more and more traffic it becomes encrypted. You can't necessarily see the traffic. So then you have to kind of take another level of abstraction back. Is it coming from a data set data store that's important to you? Is it going to a known bad IP address? Um, so it gets more and more complicated as ever evolving threats which require ever revolving controls to, to address those threats.
Bill Russell: 08:16 So why, why are they going after health data? What's the value of health data on the open market?
Terry Ziemniak: 08:22 While it's interesting, there's an article a couple years ago, I'm just historically the value of, of healthcare data records I've gone up, up, up and the idea being a, as can put compared to a credit card number, credit card numbers get stolen, visa writes off the loss and changes the number. No big deal. Um, it's really hard for bill or for Terry to change your social security number and that's where the value of the medical data comes because it doesn't change easily. So once you have it, you can get a lot of value out of that information. However, there's been such a daily use of health care breaches that on the black market that value of medical records has Peaked and it's going back down again now.
Bill Russell: 09:00 So I guess that's a positive. The other thing I hear from board members as you know, we've seen all these breaches. What has been the business impact on the organizations that have been preached? Clearly they get, they have fines, but they also have, um, they also have insurance as you stated earlier. Um, there doesn't seem to have been any major blow back in terms of the revenue and the profit of organizations that have, um, that have experienced large data breaches.
Terry Ziemniak: 09:34 Well, true. That's a valid statement. And it comes down to you from your business. Again, what's the business objective of cyber security? Is it to prevent 100% of the breaches? Is it, um, is it a marketing aspect? I have a, a client I'm working with and I spoke to the CEO. She said specifically objective one we need to protect the data. Objective two is we want to use security as a marketing tool. Um, perhaps your business objectives, uh, talk about, uh, the ability to share more data overseas. Um, perhaps you're worried about compliance. So you really need to understand what the business objectives are to build a security program. He can't protect, you can't defend against everything. Um, you know, insurance is there to designed to fill those slots. You'll be the only want to be 95% secure. You don't want to ensure the rest. Um, so what's the direct impact?
Terry Ziemniak: 10:22 Interesting article I read bill, um, they talked about health care specific, how the costs of marketing goes up post breach. So healthcare organizations that have been breached, how their marketing budget the two years following goes up. So those, there are some direct costs, um, but it's not enough to shut companies down. Um, recently OCR, um, made some announcement saying that the actual caps were HIPAA breaches are going to go decrease. Um, so it is, it is difficult. That's why board members and organizations are struggling with the concept of how secure do we have to be, um, if they're not seeing a lot of direct tie of revenue to those breaches.
Bill Russell: 11:00 Well, let's, okay, so I'll take my board hat off and I, I sort of want to walk, have you walk us through and so, um, I've seen some of your slide deck, some of your presentations and I'm going to walk through cause some of it's pretty, uh, I think it's really valuable to our, to our listeners. So you just give us a state of security within health it. What are you finding in the Industry today?
Terry Ziemniak: 11:24 Sure. So the research, you're talking about, you a little background on that first, um, working through UNC Charlotte, University of North Carolina, Charlotte, I get tied into A entrepreneurial program for, for some that accompany that I'm working on and, and a part of that program, including customer discovery. So hey entrepreneurs, you may have the best solution, the whole world, but it doesn't meet the business need. No one's gonna buy it. And that's certainly makes sense. So while was tasks as part of this program and go talk to a lot of executives about security. And when I was all said and done, I had dozens of interviews with, with leaders throughout healthcare and other industries saying, no, this is our thought on security that this is where we think we're headed. So it was great information. I tied it together and I made a presentation based on it.
Terry Ziemniak: 12:06 So that's, that's some of the numbers on their review with you bill today. Um, but specifically what's the state, I started off with, hey, hey executive, how confident are you and your security controls? Do you think you have enough? Do you not have enough of a majority felt they were actually good. They said their security controls were solid and they have high confidence in their security controls. I would just kind of interesting about a quarter. Then on the other end of the spectrum said they had little to no confidence. So it's kind of kind of a, a big gap there. But there were people on both ends of that spectrum. Then I took the next step bill and said, well great, your security program is either good or poor, let's break it into the pillars. So security really is not a model if the security consistent generally of people process technology and it's okay if your sturdy programs great or it's poor what do you feel about technology?
Terry Ziemniak: 12:55 And pretty much everyone, everyone said specifically technologies in greet shape our technology part of security, very corfotable with and I say great technology. Process, where are you on process about two thirds said yeah, our processes are very solid. Uh, the rest also then said that, well our processes are pretty good. So no one had any big concerns about process. Then I took the last pillar technology process. Let's talk about people. You almost everybody said people was the biggest risks of their security program. Um, so it was interesting when you take the idea of security as a whole and then break it into pieces, what are their concerns? Technology is not the concern because technology is easy to sell. You know, the idea of, well, we need $100,000 for a firewall or we need to buy this service. So there's things that are, uh, you can see, you can touch it, you can understand, uh, the people side of cyber security is really the gap is, is they don't know how to move the needle in there and they don't really know how to get the value out of the thousands of people perhaps working in the organization.
Terry Ziemniak: 13:55 And that was kind of like a gap. Everyone acknowledged and they really didn't know how to be a little bit. Um, but they also did say people had the highest potential for improvement. So technology is in great shape. It can't improve much. We don't want to put our effort there. Um, all of them, nearly all of them said people are our biggest risks and they all said people also have the highest opportunity for improvement. So that really I think is gives you some visibility or the CSOS are looking, is it, they see the whole and the people side and you want to shore that up.
Bill Russell: 14:25 Yeah, it's um, you know, it's interesting. I've mentioned this a couple times, you know, when you have 23,000 people or 30, or 40, or even 90,000 people in an organization, uh, that are willing to give away their credentials with a, uh, with a phishing attack or those kinds of things, that becomes your attack vector and you have to figure out a way to shore it up. I don't necessarily agree that the process and technologies is big within health care and, and I would really, um, you know, we're, we're, we're going to focus in on the people's side today cause I think I agree with you that it's a majority of the, of the challenge in an area that we can improve significantly, but on the process and technology. But we spent too much time building walls, not enough time, um, analyzing what's going on in the wire, doing, uh, a, an audit of our data and, and, and where all that data is an audit of our, uh, uh, business associates and our partners are what their security practices are, an audit of our cloud partners and their practices.
Bill Russell: 15:25 I think if you really dig into it, you're going to find a significant, a significant failure grade in terms of security. And I know I'll get in trouble from some people who say, well that, that's not indicative of all healthcare, but I think it's indicative of a lot of health care. Unless you're at scale, unless you have enough money to throw at this. I mean, and by enough money, I mean, you know, four, five, $6 million a year to throw at this, you probably need to get an outsource provider because you don't have the expertise in the controls to put in place. Now with that being said, I want to go back to people process technology. It's a, it's a common framework and it's there for a reason because it is, it is a good framework to work from. Um, so if we can improve on the people side, let's, let's talk about some of the things we can do on the people's side. So, um, how, you know, what are some areas that we can prioritize to make our culture better, to make the, the, the people aspect of our security better?
Terry Ziemniak: 16:27 Well, I think the big problem that I definitely heard during the interviews I've seen in my experience is people are really not using risk management concepts to be program. So every CSO is going to have some sort of risk register. I'm worried about x, Y, Z. I'm worried about clinical engineering devices and shadow it and cloud and personal devices and not about a down the road. Um, but that is not being used as input into the awareness for people touch all of those risks and people can help mitigate those, not necessarily eradicate the risk, um, but it will reduce the risk by having more people aware of what's going on. So I think one of the key things is, um, expansion of the words program. Pretty much everybody does phishing tests. So we'll send out an email. If you click on it, you get a pop up saying, hey Terry, don't click on that link.
Terry Ziemniak: 17:17 You shouldn't have done that. And here's why. And that's great. As certainly a value. Um, but not many people are looking beyond fishing, you know, are they educating people on, um, you know, people may have their own backup responsibilities. Um, incorruption the number one breach according to OCR with, with the hippo wall of shame is, um, unintentional disclosures. So emailing things to the wrong people are not encrypting those sorts of simple mistakes is just a user awareness factor. So, um, again, what I'm seeing is that people are very myopic and they're looking at a single topic when it comes to, to awareness. But you know, Gosh, when I was a CSO at a previous organization, very large, multibillion dollar companies, I generally had a security staff around 10 or 12 people for multibillion dollar organizations. And there's, you know, 10, 20, 30,000 people, you can't secure 30,000 people with 10 security folks. You need all 30,000 people in theory all of them. But you need all of them thinking about cyber security. You don't need them all. New Firewall engineers, you don't need the pen testers, but you want them a little cynical. You want, I'm a little mindful in. And that's really the objective that I'm hearing.
Bill Russell: 18:29 Yeah, we are, we almost have to start thinking, um, we have to start thinking in a nefarious way, like how, how would people get into this environment? And when I, when I sit across from security experts like yourself, they, they talk about, you know, simple things like, um, uh, you know, giving people access to your building and you know, you don't think about that in terms of your security program and access to, um, you know, being able to walk by, you know, certain screens that aren't, um, uh, aren't shaded or whatnot. And then you also end up with a actual employees who've been compromised and are essentially selling the information, uh, as sort of their side job. I mean, so there's, there's so many different ways that you can, you can be breached. Um, and so how do you build that? That it needs a culture, right? It needs a culture where as you say, 30,000 people are thinking about security. So, so how do you do that? You have 15, 20 staff. Let's assume we give you 25 because we're feeling generous. Um, w what are you gonna do? How are you going to do it? How are you going to build that security culture?
Terry Ziemniak: 19:43 Well, that's interesting is that organizations that have been struggling with that concept forever, how do you set the right culture and what maybe what is the right culture? And how do you set the culture, um, what I've seen that works is it needs to be, um, a multipronged attack attack. You're not going to change the culture by going to the board or the C suite and getting those 10, 20, 30 people on board because that does no good. They're up in their ivory tower. You're probably also not going to make significant change if you're only working on the end users. So if your receptionists or your nurse or your finance or HR people to think about security, that's great, but if they don't have the support, it's not enough what you really needed to hit the third tier, you need to hit the middle management as well.
Terry Ziemniak: 20:25 So things like manage or talking points, um, things like, um, uh, security risk assessments on staff. You know, hey, bill, clicked on five bad emails this year, Bill's boss should know about that. Um, if bill's not participating in the annual training, uh, Bill's boss needs to know about that. So if you have the executives, uh, participating, supporting and tracking these concepts, you have middle management talking about with supporting and reinforcing these concepts. And then you have the end users hearing about these concepts and learning about these concepts at a user appropriate level. I call it an aunt and uncle level concepts. Um, the three of those really I, I've seen help change the culture because it's hitting all the different areas and it's supporting itself.
Bill Russell: 21:11 Yeah, that makes sense. So the past couple of months we've seen a major breaches, quest lab corp that were initiated through business partners. Um, how do you involve business partners in a security program?
Terry Ziemniak: 21:25 Well, it's interesting. So that previous 27 years of my career, I've been on the corporate side as a security leader. Uh, you know, knocking on a third party and the vendors saying, Hey, are you secure? You're secure. And historically consistent up, here's the spreadsheet and convinced me you're secure. Um, now that I'm in the consulting space, that past couple years, I'm actually on the receiving side of those spreadsheets are those assessments. And it really is a whole different perspective of if I'm a data analytics company and I have six different healthcare organizations I work with, I've got to answer these questions six different times. They may have different answers for different companies and maybe be nuanced and what not. So it really is a mess is how do you shore up that relationship between your partners and Healthcare Organization itself? Um, what is the right answer?
Terry Ziemniak: 22:11 I don't know that anyone's figured that out yet. There there's services you can do. Um, I think the answer is something like a high trust sort of certification. So working with, with my um, service provider, um, client that I'm working with, they're going to drive towards high trust. So then when, when the healthcare organization say, Hey, uh, convinced me you're secure, they can say high trust says verse secure. Um, uh, course doesn't guarantee security, doesn't guarantee you're properly secure or secure enough. But it is a stamp to say at least the basis are covered. I think something like that is really what needs to happen is um, in these poor vendors and partners cannot keep answering. These same spreadsheets over over again. They just provide solo value in many cases that the hospital itself doesn't even review the spreadsheet. You know, the, the, the, the instructions were getting from the healthcare provider says, just make sure none of the answers on this spreadsheet or blank as long as there's something in every single cell will pass you in, in those are the, that's the information that, you know, they're kind of low level users actually execute.
Terry Ziemniak: 23:13 The spreadsheets are hearing back and forth. Um, so I think it would really help is the idea about a third party kind of a assessment to say, yes, there is secure,
Bill Russell: 23:21 well that's a, you know, a, a culture of patient safety, culture of security or have similar characteristics if the it organization feels like there's so much pressure on innovation, on moving projects forward on those kinds of things. There they may shortcut certain things and this is why you have different levels of security and, and different oversight. But at end of the day, a culture of security has to drive the same, uh, level of priority for the program through, through the entire organization. It can't, uh, you know, it can't be at different levels on the organization based on that department's priorities, I guess is what I'm saying.
Terry Ziemniak: 24:03 Agreed and interesting engagement. I had last year as I worked with the larger healthcare organization to move it, they brought me on board specifically to move security outside of it over to legal organization. So they brought me on board. The CIO is on board, which was great. Um, and we got that done. But as a whole different perspective of the world and when you're outside of it. Um, so as you're building the CSO office and running as the interim CSO, it gave me a level of visibility and I was able to talk high level concepts that really wouldn't be on the ears of the CIO. So, um, when we establish program concepts and policies and standards, it applied to the data, whether it was responsibility for the CIO or perhaps our clinical engineering department or cloud providers or our partners or our vendors down the road. Um, being outside of it allowed me to, to, to discuss them formulate, again, an umbrella of security that covered our data and our devices regardless of where they set, who was responsible for them. So, um, you know, good for that company. They actually, it was, it was a big win. Um, uh, getting that done.
Bill Russell: 25:09 Yeah. And one is one of the first things I did as a CIO only because I was, I was an interim CIO for about three weeks when we were, we had a breach. And I saw the impact of that, uh, on the entire organization. Every project comes to a halt. You have to do response. There's just, it's just a huge undertaking to respond to a breach. And so one of the first things I did is I took a look at the security practices. I said, well, this, this is not going to work. So we took this, we took the, we hired a chief security officer who had a digital background as well as a physical background and brought that together. And then that person ended up reporting into a, uh, compliance and, and they became a peer of mine and oversaw things. Now, I still had a CSO within it, but that CSO was primarily focused on digital and had oversight from the chief security officer, which was a, you felt like it was, it was a pretty good model. Um, but, uh, and they work very closely together. So just for fun, let's, uh, you, you have in one of your slide decks, you have good Bob and bad Bob in terms of the security culture. Um, you know, so contrast the a user within an organization, you have 30,000 employees, 50,000 employees, or even 3000 employees. Contrast a person with the right mindset and a person who's maybe not, not tuned in.
Terry Ziemniak: 26:35 Right. So again, the caveat, these aren't my words, these are the survey. So it's like, look, the part, the exercise was he executive. Let's talk about your users. How would you, how would you describe the goal? What is your good Bob and then what is your bad bob? And it was interesting, the things that I've heard so bad Bob's were described as things like not paying attention, um, cliques on anything, um, doesn't get things like that. I'm also, a lot of them mentioned older, it was an age issue. Now I don't know is old so much that it's strictly um, the age of the birthday sort of concept. But, but it does bring to light the idea that you have people with different backgrounds, different perspectives, different activities. Um, so perhaps an 18 year olds idea of security and privacy is going to be different from someone who's 30 versus someone who's 50.
Terry Ziemniak: 27:27 someone who's very comfortable on a, on a computer, you have a different concepts of security versus someone who is very uncomfortable with the technology. Um, so that just speaks to the need that when you work with people, you need to understand their point of view. That the objective again is not to make everyone white hat hackers, but you need to make them all a little more engaged or more involved in the program. Um, so those are the kinds of things that I've heard when I ask people about bad Bob on the good Bob, um, you really is, is a couple of key things. Mindful in different ways they described it, but mindfulness. So slowing down, understanding the concept, taking a breath before you click that, that was a common thing. I'm empowered if you can get people to, to feel comfortable protecting themselves at home or taking personal responsibility to encrypt files.
Terry Ziemniak: 28:15 So the more people are doing things and participating in the program, the more empowered they are. So, uh, empowerments and other one, um, engaged. So are they thinking or do they feel a sense of accountability engagements that are the big thing. And lastly, what popped up was the idea of literacy. You know, many people that organization just are not technologists. And I think as CSOS and CEO's, we often forget that a lot of people don't really understand technology. Um, they're not comfortable with technology and maybe they may be Fred afraid even talk about it. So basic literacy of the tech technology, of the threats of the risks, you need to have those sorts of basic concepts, um, for people to really participate in your security program.
Bill Russell: 28:56 So what are you talking about metrics a little bit, but what are some common metrics that, um, that a good program we'll have in place to measure their, their success of their program?
Terry Ziemniak: 29:08 Sure. Well, metrics is interesting. Everyone agreed that I spoke to the metrics are important. I think just intuitively we all understand the concepts. The concept of what's measured can be improved. If you don't really know where you're starting from, you're not going to be any better. Um, common metrics are people that do phishing tests, measure click rates. Um, some of them, uh, all of them track CVT participations, your computer based training, your annual videos that you'll look at, the all track that they may track participation in presentations if they give those. Um, the fourth common metric is submitting fishing's fish tests or actual fish to the help desk. So, um, the idea that bill got it bad email and he was cognizant enough to send to the help desk saying, hey, this looks suspicious. Um, so those are common metrics. The problem with metrics is uh, they don't really apply well to awareness when awareness is just the idea of culture.
Terry Ziemniak: 30:05 Right. How do you measure mindfulness? How do you measure engagement? There's not a good answer to that. Um, but the companies that are more advanced in the awareness space, they do things like focus campaigns. We want specifically to talk about patient identity theft. Those are focused campaigns that I've seen one before. And when you get to a focus campaign and you have specific objectives of patient identity theft, maybe you want to measure and you want to get the understanding of patient identity theft to go up or pressure departments. Um, maybe you want people to have a better understanding of the FTC red flags tied to identity theft and maybe you want to increase the number of reports of red flags, suspicious sorts of activity from your finance group. So if you have a focus campaign around objectives, then you can make very specific metrics. I think that really is the gap. I mean, where does metrics front is people trying to measure a culture in mindfulness and engagement, which is hard to do. But if you had specific objectives, you had a specific campaign around, again, identity theft or password misuse or um, smartphone protections, then you can have metrics to support those objectives.
Bill Russell: 31:16 So Terry, I have two more questions and I'm going to do something different on this show. We're going to, we're going to close up the show. I'm still gonna ask you the two questions. I've never recorded them. And then we'll, we'll put them out on social media, but they're not going to be a part of the, uh, the, the audio podcast. So if people want to, to tune into those, we'll have to follow social media, or subscribed to the free newsletter. You'll get it as well. Um, so, uh, this is a great discussion. I really appreciate you coming on the show. We're at our 30 minute mark. So, uh, is there anything you want to want to leave the listeners with? Uh, you know, how they can follow you or get in touch with you?
Terry Ziemniak: 31:55 Yeah, absolutely. I think he made, my website is northwonders.com Feel free to visit me over there. Um, I'm very active on linkedin. Um, I regularly post information that really is, is leadership level contents on cybersecurity. Um, so telling the story of Mandela's, who's the Oreo cookie manufacturer, uh, they had interesting story where they were hit with ransomware and then took that cyber claim to their, to their cyber insurance providing, which was Zurich and Zurich denied the claim. Oh Wow. So having those conversations and having leaders here about, um, specific cyber attacks that directly impact business, $100 million cyber claim is going to impact business. Um, but having those level awareness concepts, I regularly post on linkedin about this. So, um, that'd be a great way to see what I'm talking about. And visit me on Linkedin?
Bill Russell: 32:47 Fantastic. So following you on Linkedin, um, thanks for coming on. Please come back every Friday for more great interviews with influencers. And don't forget every Tuesday we take a look at the news, which is impacting health it, this shows is a production of this week and health it for more great content. You can check out our website @thisweekinhealthit.com or the youtube channel at thisweekinhealthit.com/video. Thanks for listening. That's all for now.