CISO Panel: Managing Organizational Risk during a World Pandemic

the pioneers in i.t um talk to us for one hour on the topic of managing organizational risk during the world uh pandemic uh before we begin i'd like to quickly introduce everyone on our panel today um for today we'll have our moderator being mr mike mallory he's an ibm security advisor certified cssp uh an author free from national speaker and moderator and recognized subject matter expert in security and threat intelligence identity actions governance authorization pioneer in identity access management access government and authentication and past consulting roles including lead architect for many of the world's largest authentication authorization infrastructure um this concludes two of the first individual billion user authenticated infrastructures he's a founder moderator and group

secretary for 13 regional season security roundtable across the us and across the us uh next we have mr hussein saeed he's the vice president chief information security officer at rwj barnabas health at rwd barnes health uh mr hussein is responsible for information security and the organization is hipaa compliance security governors program and his team is responsible for information security functions for the health care system prior to joining rwj health he started his professional career as a consultant in the networking system management practice with the solution integration he joined the seventh lead mandela and management of infrastructure next we have mr charles gagnon uh mr gagnon is a senior director of it infrastructure and is responsible

for the technology environment at the new york juvenile center since 2017. nygc is an independent research institute focused on genet uh genomics and whole genome sequencing sorry speech pattern today um the center is the hub of collaboration for key domains like cancer neuropsychology decrease and nourish neurodegenerative decreases charles is an experienced technology and business leader with the experience in both biomedical research and finance experience he has focused on building and leading teams to maintain high performance heterogeneous infrastructure and specialize in finding the best technology solution to solve complicated problems while respecting that and an entry set of constraints these are 20 years experience supported traditional and quantitative efforts and on commerce cloud-based platform while focusing um

on computer platform networks and data centers cyber security disaster recovery issues and last but not least last but not least is mr timothy swoop uh mr smooth is currently the cesa of catholic uh health services the 18 000 employee hospital group in long island new york that's my only new york accent i can get he's an information security i.t risk management professional who partners with chief information security officers and i.t governments risking appliance executives to assess and deliver i.t security and risk management programs in healthcare and insurance in healthcare and insurance pharmaceutical and governmental agencies i've spent over two decades assisting clients implementing secure enterprises bi ehr meaningful use and other data science systems tim nelson understands the

requirements and components that create a secure information security posture a key a key area of his expertise centers around interpreting and applying federal state industry regulations such as dsrip hytrus hippa miss sp uh 853.833 uh 201 cfr part 11 uh health and health insurance reform security supplies security standards fisma and locally uh zydoga act that's why i was gonna push you there to name a few uh he also supports uh cybersecurity requirements for medicaid delivery systems reform incentive payment uh program at two of new york's largest uh ppp uh gdps uh northwestern health at nyc uh health and hospitals um again thank you all and i'd like to hand it over to mr mike malloy

well uh thanks for having us today i think we're gonna have a nice lively conversation the first uh question that i'd like to pose to uh to the panelists are i'll start with tim swope so uh so tim you know how has the the covetera the the remote workforce force that we're we're all uh you know facing right now how has that impacted or changed the risk seen one of the things it's done is it's expanded the risk beyond the walls that we're normally used to in other words now the risk has spread from you know our offices our corporate offices out to um to the remote users in their homes and also one of the things is

it's also expanded into the areas of our of our own um vendors so uh we've we've had to increase monitoring capabilities um things like patching the things that that were very simple to do in our own organization now we have to our schedule make sure people's computers on and really also it the ability to work and monitor people from a personal standpoint and to make sure that um you know they're there to get the things done on a 24 by seven cyber security model that we all have any other perspectives from uh charles c yeah michael it definitely changed how um how fast projects have to turn things around right so we split we saw

specifically at the beginning of a covid where basically some organizations add you know a very short amount of time to get all their workforce uh remote and to get all that squared away and in in that time you needed to be secure you needed to keep focusing on your risk management and do all the the governance process that you have but you also needed to act quickly and i feel like historically there was always this sort of trend that projects could either be very fast and agile or they could be secure and robust and i think this was the time where everything had to come together things had to stay secure because there was a ton of issues that

would circulate around coveted time and then but things also had to happen very fast because once employees were not coming into the office you didn't have the luxury of months to get that set up you had to be ready in a few days yeah i mean to build on what charles and timoth said you know it was a uh it was a moment for our organizations to step up especially in the healthcare arena to in order to you know take care of patients patients first right so did whatever it had to be done to enable the workforce to be remote to be collaborative in whatever shape or form they needed to do in all healthcare operations it's

you know you can't just provide patient care if you don't have proper supply chain processes enabled and the rest of the frontline workers that support the medical staff to be able to provide the services they need to but it introduces another challenge you know all the business continuity or the risk management processes were built around how the operations take place at that given time and with the fast-paced change in how we moved around to accommodate the pandemic related uh infrastructure needs i think it's it's now time to go back and re-assess all the processes and do another sort of a video of risk assessment and identify where procedural changes are needed to accommodate that because now that's our

new norm so to build on that new norm we need to actually take a step back reassess and educate the the the workforce and how the things are done now because as tim said that the you know we don't have the four walls or or the firewall infrastructures anymore we're all over the place so identity has become the new uh firewall so to speak where you drive everything of the identity of the user as opposed to the workstation and final thing on a good point we've we've had to drive in innovation in the healthcare world is the same problem you know we we expanded to giving services to having to change a different type of patient experience

in a more secure manner so you know i hate to say you know don't let any crisis go and waste it but we've actually allowed ourselves to innovate in a way that can um actually is delivering good services to let's say some some folks that could normally not get into the hospital now we reach out to them and it's something that needed to happen so we were quick and innovating in that area yeah we persevere right the healthcare is a industry that has to persevere in any event because we are you know a critical infrastructure service yeah that's a great point and all the three of us are within the healthcare world but uh i think we've seen the same

across different industries right whether it's education or or finance everybody's had to adapt and find ways to provide the services in a way that's secure where you can trust that people are dealing with but also that you can effectively do it remotely without wasting too much time so so i'm aware that a number of organizations have challenges in aggregating all of their uh all of their uh incidents and their risk and then uh normalizing that and then reporting that on such a frequent basis to their chief executives so uh so if you wouldn't mind you know and uh maybe we'll start with uh we'll start with with charles on this one so uh so charles uh you know how are you

measuring the uh the and reporting that risk to your chief executives the uh the the boards maybe the lines of businesses and so forth how are you doing that are you automating that we're trying to work towards that so the new york genome center is a small organization we're roughly 275 you know full-time employees uh our budgets are largely driven by philanthropic efforts uh you know grant funded research efforts so our operation is to sort of remain lean and and uh and low-key we don't have you know a full compliance department and a cso department and you know all these different groups so we rely on few key staff to get a lot done so

the key for us and that started a few years back was to really get started smaller and just get started with the mindset of governance and risk risk and risk management and compliance and you know i know that everyone shuns sort of the uses of spreadsheets and it's generally not a great tool for a long-term strategy but that's where we had to get started right to make sure that we track proper controls and then we put that in there we also had to implement sort of a basic project management you know governance so that um we could move away from being very very reactive where people were just doing tasks that were assigned to them

being more proactive where the engineers on the team were looking for all right i have this task to do what project does this relate to where does this fit what does it improve is it a priority right now for the for the entire senate so once you have sort of these pieces in place then you can start to collect numbers and and get more visibility and produce reports now because a lot of that is manual when you get started the reporting cycle is not going to be you know it's not going to be real time because this is going to be a process to sort of collect the information and update the reports but once you have this mindset in place

you start to collect the information populate the right systems then you can look into you know a lot of the tooling that's available for government's risk management compliance there's a ton of them that help facilitate that process and to do the same thing with fewer fewer resources so then you can look at full frameworks like cobit or itil or whatever framework you want to look at to really try to formalize your risk management process and then increase your your reporting so we went from you know reporting to the audit committee of the uh the board of directors maybe every two years to now having you know close to real-time visibility into how things go and that's uh it's definitely a process

and it's a mindset change but once you get there you get good results anybody else want to weigh in on that yeah one of the things that we do is um and again before you even start with it with a risk management program or even look at risk management tools we defined our risk tier levels like you know risk one a risk that requires mitigation and that might not be acceptable risk two levels the next one down wrist is considered acceptable and risk three very low risk it might offer some cost savings but then we have a risk determination and assessment process where we look at three factors the likelihood that the risk would happen what's the business impact to our

organization which is different depending on what your organization is and then what are my control effectiveness and doing that we've actually created a uh a mathematical equation that gives us a risk tier based on the likelihood business impact and control effectiveness and when you have those that's th those are actually the pre-tools that when that you can put that information into a uh you know uh uh risk connector some of the other tools that are out there are sam we actually do a lot i do a lot of the tracking on a spreadsheet with that and then on a quarterly basis i bring them to um you know our board of directors so that they can understand the risks that we

have um you know we're hospitals so we do our triage on them and you know the highest priorities first but it gives them some sort of an idea of the cost to remediate some of these and the and you know we also have metrics for the benefits so when you bring all those together it puts the risk in a in a in a more real uh way that they can touch and understand how they affect the organization and the you know the the impact that they might have if they're not remediated so are you able from uh from that reporting to distinguish maybe from the last period to to the current period uh where there's a heightened uh risk

posture and and so forth and uh and and even trend some of that maybe yep and in fact you can do that you can trend it over time you can do a lot of trends too not just the risk but how many risks you remediate we've got a small staff too and we all you know have uh and you know as charles said they might have a small step we have um vendor risk analysis requirements for annual and we want to see how we can actually do those so you do have to trend monitor the amounts that you that you do but also um you know make sure you're focusing on the high-risk ones first

now how about uh someone with unlimited budget uh uh from uh like robert wood johnson barnard are they hiring no i thought you were i thought you were alluding to the ibm yeah yeah mike's talking about himself exactly stuck in that third person uh so i like i should have given a disclaimer earlier but i'll do it now you know most opinions are mine and not of my employer or a former or future employer so some of that context really is you know my opinions and so like tim and charles said you know risk assessment is a very fluid process you know the risk and cyber security keep changing and in some areas they keep

getting magnified and there's so much information out there so we have to have a very defined risk assessment process and the results of that risk assessments need to go into a risk register so that we can create some risk key risk indicators to to inform the the executive management of where we are focusing our efforts on like you know unlike ibm we don't have unlimited uh budget and open checkbook so we prioritize high risk items first to address them and then report on them as they get and some of them take longer to address because they're not you know short term fixes you can do some tourniquet type of stuff but you have to come up with a

very sustainable process to mitigate the risk weigh in how that risk affects the operations of the organizations as well right you can't make a change without taking into account how it affects the user community they have to be educated they have to be trained on you know using different processes because ultimately it's a business people process technology problem and cyber security right not just the technology issues a lot of risks can be mitigated by process changes right you know so some of that needs to happen ultimately the board runner needs to understand you know how committed an organization is in addressing the information security risks and that's really what our intention usually is to to inform them where we are where our

destination is and how we're going to come back to it and reassess and continue to grow now are there challenges in in even aggregating that information and uh pulling it from all the different sources because now a number of services are likely even in the cloud and and and all scattered all over the place right it is it is there are so you know as and that's what i said it's fluid process right we have keep adding different tools to assess different areas some is desci you know manual process of interview style risk assessment other is you know to get the data from certain sources which could tell you the health of that environment and how that you can now assess the risk

where based on whatever data you have you know and then chart it and historically see how the trend is changing are we going in the right direction or are we still and sometimes you know you want to just be plateaued because that's your risk tolerance and in some cases you want the risk to go down depending on you know what what the circumstances are and so that it gets all taken into account and cloud's here to stay so we have we might as well learn how cloud works and now what the risks are in the cloud and how to operate in the cloud so so ai uh and and this uh one i'll start off with

with you hussein on this one as well so um so ai and machine learning's been been around now it's it's it's progressing uh evolving i should say and uh i i know uh at ibm we prefer to even refer to ai as uh not uh not artificial intelligence but augmented intelligence so so how is like the augmented intelligence machine learning and all the tooling uh you know behavioral anomaly detections and and all uh how how has that been uh effective or maybe not effective and and how are you maintaining you uh staying up to date on your threat intelligence how do you keep pace with you know the the broadcast of uh of information that's coming at you

wow a loaded question there but uh i'll take the layman's you know attempt at trying to answer that so the the industry's growing you know there is a what i would say a fatigue of intel coming our way around thread and thread data so we're utilizing a number of tools that that are basically ml iai based we don't develop them ourselves we have partners that have developed them and have provided them access to those tools and some of them are paid for services that we utilize and they have helped quite a bit i would say that's the direction we need to go in in threat intelligence and some other areas in terms of navigating that deluge of data that's

coming our way and the data we are ourselves collecting the telemetry data from sources internally or externally and be able to identify what we need to focus on uh mail security the you know data collection in a sim um a couple of you know examples that are being used around using aiml-based solutions to really augment the the staff we have in determining where the where the threat is and how to react to it how about others on on your your view of the automation where it is today and uh where it needs to go and so forth uh you know automation automation and ai is really good uh and i think it's a it's a it's a large piece of the

the puzzle right now so it's a building block that's been integrated in some of the traditional tools are also just as valuable people just have to recognize that there's a multiple of tools that they're going to have to combine together to make sure they get the appropriate solution one of the interesting things with ai is once you have a big shift right so kovit everybody went remote we practically had to sort of re-baseline how our users were interacting with the systems because um everything was getting flagged right because all of a sudden everybody's remote some people went back to home countries and started working from there so the the footprint left by our user was

completely different than what it was you know prior to coving so then you had to sort of re-baseline and retrain the system based on that new that new normal and that's something that people have to be ready for it's not you cannot unleash ai and into your monitoring environment into your and you just expect it to give good results you need to be constantly looking at what's going on to see if you're getting what's expected you're picking up the right things or missing important things and then when new systems are added and things change in your environment or the structure of your infrastructure changes then you need to sort of retrain your tools to make sure that you're in the

right place very good point charles because it's such a dynamic area it's not static right as the situation changes and you want to separate you know mlai based solutions and automation into two separate buckets because you really need to get to a good amount of clean data that makes sense to you before you can really look to automate anything to take any actions on that information you've received if you don't understand what information is and what the impact of that is and how to automate something to address an issue and do it manually a few times before you really go to do the rpa route you're lively likely to have problems and again have enough

you know checkpoints as the environment changes how does your automation change along the way because if you're if you don't change your automation based on the environment changes you're able to do wrong things and disrupt the service yep and i agree with both charles and hussain one of the things is anomalous anomalous behavior changes depending on the anomalous thing that's going on in other words coping we got people working at 2 am now in the healthcare world is if i could figure out a nice even flow for all six seven of our hospitals it'd be great but there's anomalous behavior that happens all the time based on you know incidents that pop up so you

actually have to interact that's why it's all i like as mike said it augmented intelligence because you literally have to interact with it it can't run off by itself i always tell people that skylab has not been fully you know um deployed yet so uh and self-aware but so we we do have to interact with it and understand what's going on we have and there's a lot of uses that we've used ai for too outside of just the threat intelligence we have uh electronic medical records you know you you now have tools that will see if people are doing those things they're supposed to do based on their policies that they would you know in their and their work

functions um so we it's almost like orwellian big brother uh you know and also i don't know there's companies out there uh mike might know of some that uh have have great ai for uh health care with um analyzing data scans things like this but there's there's there's some big movement also from an ai standpoint in uh in actual healthcare and identifying things that would take 20 eyes to do so i think we're moving the right direction but it is augmented intelligence and it's something that people have to understand you get it better by interacting with it and making those changes to it too so you bring up a couple of good points i just want to hit home a little bit

more so so uh that interaction so so right now the the ai and the machine learning and the behavioral anomaly detection it's really for uh alerting and putting things into uh into into different buckets today right so um are you seeing that a trend and maybe we need to get better at maybe having automated triggers to automatically isolate and uh maybe automatically unlock users based on different circumstances that you know right now that's if i'm reading it you correctly so that's really uh you know the interaction of the uh the person interpreting whatever is being presented is that correct yes in fact though you know here's one interesting thing in the healthcare world uh for people like us you actually have

to know a little bit about healthcare let's say i was in finance and i can block somebody and shut them down from from anomalous trading it's not going to kill anybody on the operating table uh in healthcare we have to understand that there's a fine line between uh security having something automatically happening and turning over and end over um hospital operations because of some things that you do so you you it's it's a different dynamic where you actually have to know um you know to that and hire people that work under you that are that are really knowledgeable on the hospital operations so that you understand what real anomalous behavior is and how to how to

you know attack it so building on terms right in a geek geek way you have to talk to the data if you can't talk to the data and understand what data is telling you you really cannot make a decision on that data right and that's really where the challenge comes in in the the whole you know this decision support in la data sciences field not only requires computer scientists but also subject matter experts in the respective area you're looking to do any automation right you have to take the data you have to train the data you have to use supervised unsupervised learning before you even go to the neural learned learning or deep deep analysis or deep ml phase

right that's where cognitive decisions are made and that the data in itself starts to make some decisions but to get to that point it's a it's a journey that could take a long time depending on the skill set of the individuals and their background their understanding and their eagerness to learn to get to that stage before you actually start making some automation decisions around any type of activity a simple example would be you know rogue devices on your network right any device can be considered rogue on the network and quarantine and shutdown unless you have a very clean crisp way of identifying good from bad you may end up quarantining critical devices on a network that could have

a lot far worse effects than you know like or shutting your printer down or taking a trader off the trading floor for a few minutes right so there is a it's a journey it's a learning process and it's coming and the healthcare idea is adopting it in many of different areas like tim mentioned you know there's some areas out of cyber security that are utilizing ai ml solutions and they might do it much better than cyber security is doing it because they have the plethora of knowledge in their space to understand and learn that data before they actually make decisions around it there's going to be a lot more research using aiml in any area that you pick up not just in

healthcare but across the board and to add to what tim was saying um on top of the healthcare component where you there's some things you can't shut down because you have big risks i work in an environment where we do a lot of science research and trying to do you know anomalous behavior detection on a science researcher world troll red flags pretty much every single day of the week a lot of these systems have been designed to work with you know sort of the standard office environment that i'll call you know a law office or a simple bank right but we have people who are interacting with you know all kinds of other institutions in foreign countries some of those may

be highest countries that gets flagged uh we'll have researchers who scan entire you know petabytes worth of data on a given morning and that's just because of the work that they're doing and it gets flagged and so all these systems have to be trained and adjusted based on um you know the work that you're doing and the the output that your organization is trying to do if i'm constantly slowing down research um because of my risk management platform or if i'm jeopardizing health care or or lab testing because of my risk management platform it's not it's not a good uh it's not a good outcome you're going to go back so far like coming back to

where you you were might be difficult because you know impacting certain things is not a good thing and research requirements now with um you know i know charles you might see them grow but we even i'm sure who's saying research requirements for outside research entities that are looking for cova data now we've had to let them come in and pull out phi but we have to make sure it's in a secure in a secure way we identify correct identification authentication of these folks because more than ever i've had to allow and there's some of these under government grants data exfiltrating out of my system um for people for a legitimate use that normally i would never do that so

you know we've so we actually have inherent risks in things for research uh that we have to have compensating controls and monitoring now more than ever to um you know to make sure they're going to the right people exactly oh you're absolutely right i mean that the whole research paradigm has shifted and for the good right i mean there's if there is no research there's no progress right so that has to happen and we just need to find the right way of accommodating the researchers to get to the data in the right manner so so tim you you you brought up something uh you know so about let's take it around the uh the the third party vendors so

and suppliers so us in the in the risk business we you know we certainly uh always had uh uh uh our guard up for uh the risk associated with the third-party vendors and all but uh certainly uh with solarwinds and and all and uh you know everyone else in the world now uh now realizing you know the risk of the third parties uh you know maybe you could uh tell us a little bit about about that third-party risk and you know and how you're uh you're viewing uh that uh that risk and uh and and tightening things up well one of the things i've always been big on is third-party risk management and that's just not risk assessment but

it's a long-term risk management of them um you know we have requirements to not just um for again somebody with uh phi all highly critical data those are the ones that we actually have to review every year but um those are where we got a lot of breaches in fact in 2019 which i am for 2020 but by the end of 2019 one-third of all health care breaches came through a third party um these are people that you know well we have a ba with them still a breach you know they still haven't had it it loses that that that patient um you know security that they have so you know it's it's more than ever now

also that when we do a risk assessment on a potential vendor and if a couple years ago we would have made sure let's say sock 2 report high trust certified for that data area in scope well now those workers are also working remote so we've expanded our risk not just from outside into the vendor but now we have to make sure that they have the right controls in place and attestations and actually sometimes i want the evidence to see it that they have those types of controls in place for their people working remote because they're it you know we've we've increased a layer outside our organization again from our remote workers uh to theirs so that's been that's been

a big concern and and what you have to do is is again work with those vendors um you know make sure that they they have deployed the right type of um you know i mean sometimes if we can't give them a that type of vendor a chs device they have to have a certain requirement um have to have certain capabilities and then but um we've also created portals for them to come into so they're not actually going directly you know vpn directly in so you have to think about some of those controls that you can have to work with your vendors but over time another thing i always uh make sure i accentuate to people is a

vendor today is not the same vendor tomorrow in other words there are certain things scope or services change they might be bought out by somebody they might change their security from on-prem to cloud so these things always have to be reassessed you know now in the in the common environment but always that people forget that that vendor's changing too hence your assessment of them should constantly change i entirely agree with uh with tim it's it's a big investment so a lot of people confuse the the risk management than the risk assessment and in some ways risk assessment is the easier part right so have the conversation with the vendor and see where they stand give them a

questionnaire and collect answers there's different ways to do it you can even go to um shared risk assessments platform that will which offer you uh some information over over certain vendors but that's only one one piece of the the puzzle for one you need to implement a process by which you're gonna constantly review the vendors uh then you need to also factor in well how important is this vendor for us right so what happens if the vendors compromise and what's the impact on my business process maybe it's a vendor that's not so important so i can i can cut it loose and then so i could accept a little more risk on that front but it's a really important vendor right

if i'm talking about my public cloud provider and there's a there's a big issue there i got to figure out how i'm going to respond to certain events and that gets factored into my risk management right how am i mitigating the risk how am i accepting the risk what am i going to how am i going to react if something happens all these things have to be factored in and for smaller organizations it's a lot of heavy lifting that they often lack the resources to do um so you know you can look to partner up and get some get some assistance but it's got to be baked into your to your process and to your overall sort of governance

and risk management if you're not including your vendors you're really missing a big piece of the a big piece of the puzzle yeah so you know great points by charles and tim there are different types of vendors that you know organizations have some are business associates some some some other supply chain vendors right and like charles said it's not a risk assessment issue it's a risk management issue you know the the the output from a risk assessment will go into a risk management process to now rank rate those risks and the based on the criticality of the service and then decide you know what your organizational requirements are to fulfill those risk items and they may be different because

if hepa hipaa or cfr does not tell you how to address a risk they tell you you have to address the risk according to your organizational appetite right so you have to develop solutions around how you're going to address a risk for remote access or you know data sharing or supply chain or whatnot and those those are some of the very difficult conversations sometimes to take place because the the third party or the bas typically don't understand what you're asking them to do because they don't have insight into how your risk management process works right it's risk tolerance issue so there are areas where you can tolerate the risk or transfer the risk and there are areas where you don't have

the luxury to transfer or maybe or accept the risk so you come up with you know seem to be dark onion requirements but those have to be done right and that's where usually the challenge is how do you educate your third party to accept your requirements in in implementing access or anything so i i'm i'm assuming we have a lot of uh of younger folks in there in their careers in the audience uh because i'm going to go back to uh the 1980s uh here and in the you know and we're going to talk a little bit about cloud so uh so so for for some of you younger folks uh cloud has been around a lot longer than

uh you know in the uh the year 2020 uh yeah 2000 so uh we used to call have these things called mainframes with that were multi-tenant uh with time sharing on it and uh and and they were uh you know and people would subscribe to uh to these services and uh and and they were cloud those days and the only difference between uh then and now is that we had uh slow dial up modems into the cloud of the day of the day those days so so it wasn't um as embraced and and the applications uh weren't as fruitful as they are today because we just had slow access with terminal servers and everything else

so so now that we've seen you know fast speed to the old time sharing mainframe environments out there multi-tenant environments now called the cloud uh they've brought with them a lot more risk in fact uh at uh cso roundtables that that i've had uh you know when i would ask you know cso's you know their opinion of the of the cloud and all and they would tell me well now there's no more security by obscurity you know uh if if they have if they have an opening it's not whether or not somebody finds it because there's always a broadcast of trying to find any mistake that you might have so you're you're pretty much all out there

but i'd love to hear from from my panelists over here let's start with charles so how has uh the the cloud environment and uh and the high speed and the easy access to it and uh uh and and the adaptability of it uh you know introduced risk and and how are you mitigating that it's it's a large large component of modern risk and michael to be clear of course the mainframe part you didn't experience personally right you read that in books that was my year um i had a box of cards trust me i'm not okay i i i went to school on cards yeah yeah the the public cloud introduces a lot of risk and changes the landscape and the

way that i've explained it to sort of our board and our audit committee and and people who are interested in that aspect of it is so traditional risk management and security audit work and all this kind of work always works around you know a a defined set of systems that are within the perimeter and scope right so there's there's a scope for the audit there's a scope for the process and there's systems that are defined to be in scope and then you review those systems well when you're dealing with a public cloud environment it really sort of blows the boundary out of the water where you know how widespread your systems are and it makes it a lot more difficult to

define a boundary because you say okay well i'm using this system within the public cloud environment and then it's connected to all these other services so it's sort of by nature of it spreads and extends the boundary of what you need to review uh the accessibility that you mentioned also brings in a number of challenging components right so i remember early on doing security work where people were worried about you know exfiltration of data into you know public forums or you know um chat platforms and then banks were looking to restrict that as much as possible so in the heyday of the data league protection right you were blocking these sites that would allow uploads of data

now it's it's literally everywhere um i mean you can leak data in as many ways as you want and then you can also process it in as many ways as you want so your average employee or researcher or person within your environment maybe just you know using a 300 credit from name your favorite cloud provider to spin up some instances and then do some work there and you just created a whole new level of risk that you were not ready to manage because if they decide to use that output for something you know you have sort of no visibility into what they're doing in there how they're doing it and why so you need to constantly be sort of reviewing

what's going on educating your workforce and then making sure they're doing the right things and having enough of a of a providing access to your employees so that if they want to do something you can give them access in a way that's monitored and it's controlled so that they don't end up running wild and doing things completely uh outside of the outside of the paid track so it's definitely ha it's added a level of compliance to risk management a level of complexity to risk management that was that was not expected and it adds a lot of work in in tracking where your processes are who's doing what how they're doing it and why i think one of the things that we have

to keep in consideration is what are we going to use the cloud for in other words you can have logs on the cloud certain type of aggregated data it gets very very tough when it's phi and we have a lot of medicare and medicaid clients so then that cloud has to be certified at the level would be almost fed ramp because it's cms data it's not our data those are actually their patients coming in to get services from us so you have to think about okay what can i protect in the cloud can i meet these uh you know these nist and high trust requirements in the cloud and sometimes work with that cloud service provider that can

allow you to um you know have certain types of audit functions define that these things are containerized in a certain area and and again for phi so it's almost uh it's a plan to move to the cloud for full for full data within a healthcare space at least uh because of the other security requirements around it it's a it's a tough one right there's um it all has to you know cost benefit analysis and also like tim and charles said what are you looking to do with the cloud you know then you have to decide your journey to the cloud it's not a flip to switch type of thing you know you decide you know how you're going to move your

compute to the cloud and then you look at doing com in a cloud posture assessment cloud workload posture assessment and have that process defined because it's a totally different shift in how now you run your it operations and that really has to be taken into account to have the resources trained in managing the cloud-based services all right well um you know guys that's good really close then we have a few more minutes we have a couple of questions for you folks from the audience um first question uh what would your organization's um what would your recommendations be for organizations starting out a cyber security program uh i mean i touched up on that earlier i i think the idea is to start

small and build up if you look at it with the end game in mind right away it looks like something that's unachievable and unattainable you have to break it up into pieces you have to first get the mindset of you know audit and compliance and risk management into your your your engineering workforce into your your legal assistance and the entire you know body of employees who support that that environment so you have to start small you know implementing controls tracking these controls collecting artifacts and trying to build up the from there and then you can look into you know automated systems and larger platforms that really help implement the full framework right so once you have sort of

a little bit of momentum going in the direction looking at a cobit or a nist framework will look a lot less intimidating than if you're starting with nothing implemented at all and nothing going on for you so i think the idea is to start small you know spread that mentality around make sure that people are aware what you're trying to do and then really build up on it over a few years and you know quickly you plan how you're going to structure your your cyber security group are you going to be governance oversight um or are you actually going to be the people that are looking at all the logs so you you need to spread some of that decide

how you're going to spread that throughout the organization who's going to from architecture infrastructure network how are they going to take some of that that work and it's not going to all go from a cyber security area because that can be a heavy lift at first so spread out the responsibility and define how that's going to happen yeah excellent points that and you know it's again i'll go back to holistically speaking if you're looking to start a security or cyber security program pick up the cissp book and read through it and look at the 10 domains that it has it'll give you a very clear understanding of what really needs to take place methodically in an organization to build

a information security program and cyber security is a subset of that if the concepts are not clear you know it's virtually impossible to implement anything if you can't do two plus two equals four there's going to be a challenge in implementing that right so take that understand it learn it and then take that to start building a long-term project of how the cyber security program will be implemented smaller gains show those meaningful gains low hanging fruit show progress educate users and then learn the business you're in that is critical to implementing any type of cybersecurity program is you have to be part immersed in the business so you speak the business language understand the business before you can

actually look to secure the business and and i'll just add one one more thing i think a fundamental tenant is uh is least privileged and for those of you playing uh cyber security bingo out there waiting for the uh for the buzzword zero trust uh you know uh lead privilege devolved into uh zero trust model so i i think those are key aspects of of a cyber security uh program as well okay uh we've got one last question here for you um so you should deal with a lot of medical and pii how do you handle sharing data with other entities or groups outside your state or even outside your country one of the things

we share very little outside the country but it would be de-identified in other words if they're using it for research usually it's upper level aggregated numbers that they don't need to drill down to the actual patient but people have to actually understand too what de-identified is that's just not always taking the name the person last name off there's other 18 other identifiers that two together can can actually add to so they have to understand what what the phi identifiers are and then look at the requirements and the risks we do not share a lot outside of the country um you know but again if you look at a what the data is used for and we always

read the grant of the researcher charles you probably understand this but we read these we read these grants specifically because a lot of times they need the aggregated data numbers let's say you're looking at covent concentration in a certain area they don't need the people's name so understanding what's what's the need too so you don't have to actually you know hand out the actual phi yeah i'm with him on that we don't share a lot of data outside the key for us is to know where the pii or the phi is so we have to know at all times where we're storing this kind of data to make sure that it doesn't leak out and travel when we don't want it to

because we really don't want to share it um at all but we are in a position where we do share some data for for science research and as to mention it's the identified you also have to understand the different concepts and the different levels of the identification right so there's there's a concept that we call a limited data set where you've basically eliminated the clear identifiers for the person uh but the dates are not shifted so that if you have access to enough information you can you can re-identify uh the data set if needed in a truly de-identified data set you should not be able to re-identify uh anything and then genomics is a is a

little bit of a of a gray area right now because technically you know there would be a possibility to re-identify using you know someone's dna um but just a uh a genome sequences of a person is not considered pii so this data will tend to travel for for research excellent points i think it's a data governance uh issue and research data sharing is part of the data governance policy and process and like tim and charles said that we don't share a whole lot but when we do have to share for the good for the mankind we have to figure out a way to share that data in a way that it's uh it's not uh compromising any regulatory

requirements yeah the federal agencies now all require when you apply for a grant that your your pi for that grant has a data management plan that they can show how they're going to manage and protect the data and how the data is going to flow so it's uh that that that area is maturing quite all fast mike uh all right next question all right well um that's uh that's our closing question here looks like uh are already up here but we'll need you to close it off yeah sure so i i'd like to mention that uh these panelists that that i have today are actually co-founders of a security leaders roundtable uh chapter chapters that uh

that we've started we started them in new york city and then they they moved to new jersey and now we have actually 12 chapters there's one actually in florida derek is a member of that as well that's on here uh they're non-sales forums and we have them before business hours and we meet every two to three months so i welcome you folks to reach out to me i'll i'll put my twitter in uh in a uh in the in the chat i think i it went out there and uh so uh you could follow me and i'll put information about these different chapters uh and uh and and they're just casual get-togethers before business hours

uh like like we did today uh we come up with a topic and uh except that it's not just maybe four of us it's uh you know whoever wants to chime in and we have them for about an hour and a half two to three month cycles so feel free to join our club all right and thanks again to everyone that uh arrived thanks for all thank you to all of our panelists i definitely appreciate you guys taking your time out to speak to everyone today and thank you for attendees um and once again like michael laura said please uh if you're interested please make sure you sign up for the security uh panel it is a great talk and it is not a

sales pitch so yeah you don't have to worry about uh vendors consistency anything it's a great time to actually contact and chat with other people in the same industry uh thank you all and see you next time thank you very much thank you