About the Podcast: The CyberPHIx is a regular audio podcast series that reports and presents expert viewpoints on data security strategy for organizations handling patient health or personal information in the delivery of health-related services. These timely programs cover trends and data security management issues such as cybersecurity risk management, HIPAA and OCR compliance strategy and vendor risk management. Meditology Services, the healthcare industry's leading security and compliance firm, moderates the discussions with leaders in healthcare data security.
A key component of a successful data security strategy is centered on people; specifically navigating and managing cultural expectations and the organization’s philosophy on data management.
In our very first episode of The CyberPHIx, expert health system CISO Nick Falcone shares first-hand experiences in establishing a formal risk management program with anecdotes and strategies on working within the organization’s culture.
PODCAST TRANSCRIPT
Brian Selfridge: [00:00:10] Welcome to CyberPHIx, the audio resource for information security, privacy, and governance specifically for the health care industry. I'm your host, Brian Selfridge, and in each episode, we will be bringing you pertinent information for thought leaders and health care, information security, privacy, and compliance. In this month's episode, we're speaking with Nick Falcone, who is a seasoned chief information security officer for the health system in the Northeast U.S. And we're talking to Nick today about security strategy and risk management. We would like to hear from you as well. So if you have a specific topic or thought leader that you would like to hear from. Just drop us a note at [email protected]. That's why Beta AI at Meditology Services. Now let's get to this week's interview. Nick, thanks so much for joining us today. It's a real pleasure to be able to speak with you.
Nick Falcone: [00:00:59] Oh, great. No. Thank you for the invitation. I'm looking forward to the conversation.
Brian Selfridge: [00:01:03] Well, our topic today is focused on, you know, information security, strategic planning. Now you've had a variety of CISO information security officer roles, other roles kind of throughout your career in this space. I'm curious when you look at formal strategies and planning and putting together a formal plan that looks forward maybe to how do you approach that process? Do you have a formal security plan? And maybe you could explain a little bit about how you go about just trying to tackle this, this beast, right?
Nick Falcone: [00:01:35] I think you go about it a couple of ways, or at least I do. You know, part of is that that you want to have simply what are the projects you're going to get done in the next, you know, however many years that you want to do your strategic plan for? But I think those projects tend to be driven by, you know, what problems you're trying to solve. So usually I start from a risk assessment type perspective and that can be, you know, get a third party to come and do a risk assessment, do your own risk assessment. And for that sort of initial risk assessment, I both like to do, you know, what are your asset threat vulnerability kind of what are your prominent risks from that perspective? But I also do like to use a checklist approach to a risk assessment. So take whatever regulation you're worried about or take a, you know, a combination checklist like high trust or ISO twenty-seven point one and work through it and just say, Am I doing all of these things? Ok, which ones are important that I'm not doing so, both from a risk perspective and a sort of a checklist compliance perspective? But then when you figure out what you're actually going to do in your strategic plan, I think you have to focus around sort of people and culture. You know, if you just have a list of projects, you probably won't get very far because even simple projects and information security usually get derailed based on, you know, people in culture, right? You say, Oh, we're going to apply patches.
Nick Falcone: [00:02:42] People say, no, you can't have a patch window because I don't trust you. I don't trust Microsoft. They don't trust downtime, you know, whatever. So I think usually, you know, to make a real strategic plan, you know, it's more than a list of projects you have to have sort of cultural or organizational goals that are around people. So and I think there's a lot of good ways to do that. You know, you can change how people feel by changing how they act, and you can typically change how people act, by changing how they feel in different kinds of people need different attacks on that. So, you know, I think the big parts there are to, you know, plan in how you're going to communicate about your strategic plan. Are you going to build metrics early or are you going to build metrics later? Are you going to build a risk management program that reports on high risk early? Or are you going to report on those later? Usually, I start from risk management to drive awareness, to drive culture, to drive change. But some organizations already have a good culture, so you can start with, you know, other areas.
Brian Selfridge: [00:03:32] You mentioned getting away from this idea of a list of projects, and I'm curious, there are so many moving pieces in a comprehensive information security program and privacy for that matter as you delve in that arena as well. How do you begin to kind of coalesce that into a meaningful strategy that you can communicate without being information overload to potential stakeholders that need to consume the strategy?
Nick Falcone: [00:04:01] Yeah, absolutely. So then I think this is where, you know, different frameworks come in to be very useful. So, you know, if you take, you know, a series of projects that you want to do, typically you have some higher-level goals that you want to achieve with those projects. And then you look at all the different standards and regulations and things that you can use to organize those. And I, you know, you pick the one that suits your current aims the best. So if you're, say, working on reacting well to incidents, you might just choose the NIST cybersecurity framework, and then you can use that as a guideline that says, OK, really, you know, instead of information security being these 150 things we want to do, really, there's five parts of information security, right? You have to identify what you have, then you have to protect it, then you have to identify incidents and then react to those incidents and recover. And then you can also say, no, this is what the government points say we should use. Or, you know, this is what our regulators look to and it helps you sort of break things down and to say, you know, like, you know, HIPAA, really, you could say, Oh, really, there's administrative, technical and you know, you know, there are only three kinds of controls. And I think that those are very useful ways to kind of say, you know, sort of inherit some outside credibility into the way you're summarizing things and to just get things boiled down into big summary categories.
Nick Falcone: [00:05:11] So you know, you could use HITRUST, you could use whatever works. And then I think the other important part of how to communicate about that is that nobody outside of information security really cares about the information security aspects. They care about outcomes and they care about how they feel about things, right? So back when I have had a sales job, my boss said that he originally didn't believe it, but that eventually was convinced by his mentor that people buy on emotion and justify with fact and in information security and a seesaw role. You're a salesperson and you have to sell information security. And I do think that that model really does apply. So, you know, if you tell people sort of this dry stuff about, you know, there's I don't know, we've got our hands top 20 controls and we're working on the first floor as our big focus, right? Because let's say you were an organization that was working on, you know, asset management, OK, but they're going to say InfoSec guy said InfoSec stuff. I don't really know. I think you need to wrap that up in a metaphor or a parable or a story that people can really grasp. So, you know, for asset management, I don't know what you would choose, but you know, you have to come up with something that stays with people and it makes them able to really understand what your plan is in their terms.
Brian Selfridge: [00:06:19] It's interesting talking about the idea of selling security and that being a big part of this, the success of a strategic plan or program, apart from those kinds of metaphors that you've laid out there. What are some ways that you present information to start with kind of the sea level, the board level, folks? Is it wrapped in a story like that? How do you go about kind of summarizing everything in a way that's going to be quickly actionable?
Nick Falcone: [00:06:47] Right. So I can give the example of my current last year of board communication that I've done in my current institution was around trying to convey essentially that information security isn't a problem that you can solve. You can't spend your way out of risk and trying to get people to go away from wanting to be safe, to wanting to be well managed, right? And that's an idea that most boards have at the side of the financial services of things, right? They know that their investment portfolio is not safe. They know that it's well managed. And I was also trying to get the idea across. If you have underinvested in security that that carries risk, right? But you know, you can't tell. People don't know there's going to be hackers, there's going to be these bad things. They're not going to understand it. So I used a series of metaphors giving them options for spending levels. And I said, you know, it's like buying a new mode of transportation, right? So you get a bicycle, you could get a junkie used car, you could get a new car or you could get a minivan. And then I stopped. And, you know, I didn't have an option for getting a Cadillac because I said, "Well, you don't want a Cadillac option here, right? You're looking for something that's more reasonable, right?" And I used that, to draw different aspects of the information security plan, you know, sometimes you don't want a new car because you can't afford one, right? So, maybe this used car is is a rational way to go about things.
Nick Falcone: [00:08:02] Or, maybe you're more conservative and you say you do want to buy a new car, showing pictures of a wrecked car and saying, hey, look, here's a Volvo, right? That's a very safe car. It still looks bad after an accident, right? So there's no you can't buy a car that's expensive enough that it's not going to crumple up and ook bad after an accident. The goal is to keep that passenger capsule intact and protect what's important. But there's no car you can buy that's going to look good after an accident to kind of get across this idea that you're going to spend money now and you're going to feel pain later, and I don't want you to. When you feel that pain so far, that has had very good traction with this team,
Brian Selfridge: [00:08:36] Once you get that buy-in at the leadership level and you've used all your analogies and then they're 100 percent behind you, the board says, "Go do it, let us know what money you need." I'm not sure if that situation actually happens, maybe it does. How do you then take a strategic plan and then make it more actionable and operational and kind of communicate it down to the stakeholders, particularly in it and another kind of more tactical roles to then go forth and actually make use of it in a meaningful way? Is that something that's done through your team or how do you communicate at that level?
Nick Falcone: [00:09:11] Right. Behind, all the metaphors and the sales pitch around things, there does have to be that list of projects or goals, you know, actual technical changes you want to make in order to communicate that that I typically try to communicate directly with the technical teams I want to have. I spend a lot of time trying to build those relationships so that they will trust me to hear those recommendations or requirements. And then I try to make a differentiation between who says what we're going to do and who says how we're going to do it. So I try to position the information security team, as you know, defining what the information security goals are. But I try to keep the decisions about how we meet those goals in the hands of the technical people who are going to implement those controls. So for instance, I might say, Hey, we want to implement an intrusion prevention system, and then but I say that to the network team. I say, Hey, you're going to manage this thing, it's going to be in line on your network. You tell me which brand you want, and I'll have some say, and that is to try to buy something terrible. I'll guide them away from it. But I say, you know, what brand do you want to work with? What vendors do you want to work with? How do you want to implement it? And you know, I have this much money that I've been able to get, you know, through all these stories about cars and whatever else. And my goal with that is to make sure that those technical teams feel bought in on those decisions. So if I dictate to them, then they're not going to own it. So they're not going to own either the success or the failure of the security control. Whereas if I let them make the decisions, then it's harder for them to say, Well, you told us to do it this way. So you know, it didn't work out. That's not my fault.
Brian Selfridge: [00:10:38] With the best-laid plans in a strategic plan, you're still potentially up against a changing ecosystem and environment outside of your own organization. So there are emerging threats. There are changes to the business model. Your organization may merge with another one and things into confusion and chaos. From a planning perspective, how far out do you think a security strategy should go? Is it a one-year plan, a three-year plan, five years more or less? How do you approach the duration aspect to make sure that the plan stays relevant, right?
Nick Falcone: [00:11:14] I tend to look out five years just as an arbitrarily, you know, sort of far future for an information security perspective. When I tend to report up to senior leadership, I try to tell them about what we're going to do for the next three years. But then every year and probably multiple times per year, what that plan actually looks like changes, right? So if your budget numbers double or get cut in half, your plan is going to change in the immediate term. And you know, as events happen, you know, you're going to say, Oh, you know, actually, we have a bigger gap over here that we didn't realize let's change next year's plan. So I think you're making frequent updates, at least annually. You're updating what that actual plan is. But I still think it's important to each time you make those updates look out five years so that you're not sort of sending yourself down a one-way street that you can't come back from.
Brian Selfridge: [00:11:57] Now we always say hindsight is 20/20 with some of the stuff, you know, having built security plans myself in the past, I'm always, always evolving the process. But I'm curious as you built these strategies for different disparate organizations over time and kind of evolved your own thinking in this. Are there any "gotchas" or I don't want to call the mistakes. Nobody makes mistakes, right? But things that you might do differently in the next strategy that you make that that maybe you've learned from in the past that you might be willing to share with some folks that could help them kind of avoid those pitfalls.
Nick Falcone: [00:12:29] So I think one area that I might improve in the future would be it's very easy when you're starting a new strategic plan to kind of, you know, use this chart that you see in a lot of different places. I've seen it, you know, basically, every organization I've worked at and all the consulting engagements I used to do where, you know, you have some sort of series of security domains across the bottom, the capability maturity model up the side and you say, you know, we're here, our peers are here and we want to get to here. And I think those charts are really good at getting traction at the start of a program when you know, it's always useful if you can say, Hey, the guys up the street are safer than we are. We're going to look bad. So we have to catch up. Or if you just say, Hey, you know, here are the parts of our program that are lagging behind the other parts of our program. We want them to catch up. But everybody I've seen use those charts and every time I've used those charts, about two or three years later, right? Let's say your target goal was a capability maturity of three. For whatever domain your first project you give yourself, you know you go from a two to a two-point one and then you know, you go to a two-point two and then you have eight more projects and you say, OK, wait, now, you're up at a two-point seven and they say, OK, well, this one took us to a two-point seventy-one, and it's very hard to maintain a program that's sort of emotional push is built around that.
Nick Falcone: [00:13:45] One of those kinds of charts, you know, you get boards who get very frustrated seeing the the the bars start creeping very slowly, so they feel like there's not much of much progress. And you end up in situations where it's hard to convey why we would be moving backward or why we invested a lot and stayed the same. So you might have an organization that, you know, let's say they were working on things a long time ago and they had all their endpoints and other portable media was well controlled, right? So they said, Oh, we're at a three-point five on portable media or even a four, but then the cell phone revolution happens. Everyone has a smartphone, and I have all these uncontrolled media out there again. And then you say, Oh, we did this, bring your own device mobile device management project. We brought all that, you know, cell phone media under control, and we're at the same reading where we were before. It's too focused on progress rather than on maintaining a sustainable security program.
Brian Selfridge: [00:14:36] What are some of the measures and metrics that you think are useful to communicate at the level where you're trying to get traction? So if the bar charts and maturity curve has some pitfalls to it, I've seen organizations report up things like very granular, like, Oh, we're going to show all the vulnerabilities from our latest vulnerability scan to the sea level. And that always just causes more trouble than it's worth. But is there a balance there somewhere? What are some of the things that you think are worth measuring and reporting to show a sustainable program is functioning? If it's not kind of a maturity view, how do you approach that?
Nick Falcone: [00:15:13] Right. And I like the maturity view for getting traction. I just think then you need to plan while you're implementing against that to have something else that will give you sustainable traction. I think things that have done very well in that area for me before are indicators that are either, you know, sort of metrics like incidents detected. And it's just hard to sell people on the idea that you want that number to go up. But eventually, I think you can. I've had a lot of success around risk metrics, so whether it's your vulnerabilities or just your risk assessment results or your third-party vendors and ideally all of those sort of merged into one, you know? You know, security risk management program. I always work backward and define my risk scale such that, you know, there's some category at the top that, you know, critical or whatever you want to call it that however risky or not risky your organization is, there's probably a few problems you really want the executives to focus on. And so I define the risk scale, you know, sort of backward so that I know that it's going to come out with, you know, probably three, but at least under 10, you know, ideally, five or less problems that rank out at the critical rating. And that way, you know, you have your low, medium, high critical and whatever it is, critical always ends up being about five things. And then you can report on your portfolio of risk. And then when you drill down to the details, you have this natural breakpoint, you say, Well, I'm going to drill down on the details of these critical problems.
Nick Falcone: [00:16:34] I have five things I need your help with senior management, right? I need funding for identity and access management. I need, you know, I need to build an instant response team, whatever it is that what you have, metrics you can show progress with, but you also have a way to drill down the detail, but keep it very executive summary style. And then lastly, I would say in risk management metrics, it's very useful if you can divide up risk ownership by group so that you can say, OK, you know, if you had different locations or you have different divisions or whatever sort of group of leaders you need to put pressure on if you can eventually get to a point where you can give comparative risk portfolios between those groups so you can say, you know, Hospital A has this risk portfolio and Hospital B has this risk portfolio. That's very useful because then whoever's at the bottom who looks the worst, they're going to try to move those metrics up. You have to be very careful while implementing that and kind of be very clever about it or you get run out on a rail, but eventually, you can have people competing against each other, which is especially useful in an organization where people don't necessarily have the cultural drive towards risk mitigation. You can help influence that through those kinds of metrics.
Brian Selfridge: [00:17:38] You bring up an important point is raised. I think when we look at this view of compliance versus risk management and looking at a strategic plan. Historically, organizations in one way shape, or form have had at least some view toward hyper compliance. And there are certain stakeholders that will kind of have that view and others will have more of a breach avoidance, risk management kind of focus. And I think that what we've seen with the security officers and security leaders out there is that they tend to veer toward one way or the other focused heavily on compliance or risk management. It's tough to strike a balance. How do you approach communicating the compliance aspects to those stakeholders that think that way and the risk management aspects to those that may be understanding this problem from that perspective?
Nick Falcone: [00:18:26] You know, my intuitive approach to these things is as the risk management type of mindset, you know, I always have trouble conveying to people sometimes what I mean when I say, you know, I'm a risk-oriented person or that's how I think of things, if you tell people that you know you have a gambler's mindset, they think of you as a reckless risk-taker. But then you have to point out that, you know, the casinos earn a very steady margin and they're gamblers too, right? So you don't have to be the, you know, the gambler. You can be the house when you have a gambling mentality. And so I approach even compliance risk management from a risk-based perspective. That's not to say that, you know, once you know the law, you have to comply with the law. That's sort of obvious. But even in that regard, how you comply with the law, the degree to which you, you know where you focus your resources, that all does end up being risk-based. You know, I think whether people want to admit to it or not if anyone who's running one of these programs has to prioritize. And so then they're prioritizing based on some intuitive understanding of risk, even if they're a compliance-driven individual.
Brian Selfridge: [00:19:26] The question of prioritization, I think, is a very important one when kind of managing the strategy and we often hear challenges with trying to keep the organization on point toward a consistent strategy. So when you have these flavour of the day, cyber threats of the day, types of incidents, WannaCry, Heartbleed and you can go back every year, every quarter, there's something different, right? How do you keep the organization on task with a longer-term strategy while still kind of dealing with the fire drills and these kinds of high profile types of security threats that may threaten to take priority for better or for worse over other strategic initiatives that you have planned?
Nick Falcone: [00:20:11] Right? I mean, oftentimes those the buzzy, you know, buzzword type, you know, issues are good advertising for whatever your strategic plan is, depending on how you spin it. This is especially the case because outside of the information security team and maybe some IT stakeholders, most people don't really get your strategy unless you spend a ton of time with them. And if they really understand your strategy, then you don't need to do much to keep them on track. So for the other folks who sort of say, Oh, you know, what about this Heartbleed thing? And if you've already handled it, but they're still in a panic about you, say, you know, you're right, really. Web application layer security is important, you know, to an infosec guy. Comparing those two seems like, wow, that's not exactly but to the general public. That's really what they're worried about. Are bad guys doing bad things to you from over the internet? And so I think you can usually spin these to put momentum into your own, you know, your existing strategy. And when you can't, I think that's where you fall back on this idea of storytelling. You know, it makes sense. You know, you have to be able to explain whatever's the buzzword of the minute and whatever your strategy is in understandable comparable terms to people so that they can say, Oh, I can see why you're not worried about this, but you are worried about that.
Nick Falcone: [00:21:23] You know, if you were an organization that ran, you know, let's say you were a web services company, you ran only on Linux and people were in a panic about WannaCry. You'd have to come up with a, you know, if you start telling them about Linux and you know, and SMB and these kinds of things, they're immediately going to say, like, I don't feel like you've got this handled. But if you start talking about, you know, some metaphorical way of explaining that we by our nature are immune to this and it's not a problem for us. But what we do need to do is do patching because, you know, we have the same root issues. So WannaCry is not a problem for us, but we need to do patch it. We need to prepare. You know, and I don't know if you talk about how you do that in any given situation. I spend a lot of my time thinking about how can I explain this? But I think you need to be able to explain the comparison that you're making in terms that your audience is going to really understand.
Brian Selfridge: [00:22:10] Well, this has been a wonderful conversation I want to thank so much my guest, Nick Falcone, a chief information security officer at a health system, and many other roles over time. Nick, thank you so much. I've learned a ton today and I'm certain others will share my perspective there as they are able to listen to and apply some of the wisdom we've been able to pass down. Thank you so much for joining us today. It's been a pleasure.
Nick Falcone: [00:22:33] Thanks for having me, O'Brien.
Brian Selfridge: [00:22:35] Again, I would like to thank our guests, Nick Falcone, for helping us understand the nuances about information security strategy and risk management, some of the key takeaways for me are at least Nick's insights into building and tracking and information security plan. Some of the inputs that go into that and really learning how to communicate with executives effectively ranging from telling stories and allowing folks to understand the emotional aspect and the narrative aspect of their information security strategic program. And weaving that into how you communicate and get consensus around your information security program. So great stuff today. Really appreciate Nick's time and sharing some great insights with us. As always, we'd love to have your feedback and hear from you as well. Feel free to drop us a note about what topic you'd like to hear about or a thought leader you would like to hear from. And our email address is [email protected]. For our next podcast, we'll be talking to Janet Cormier and Paul Wolfe from Tivity Health. Please join us where we would be discussing best practices for managing a security and compliance program amid organizational changes, mergers, and acquisitions. Thanks so much.