It Takes a Cyber Village: Cybersecurity Roles & Responsibilities

Subscribe on your favorite platform:

About the Podcast: The CyberPHIx is a regular audio podcast series that reports and presents expert viewpoints on data security strategy for organizations handling patient health or personal information in the delivery of health-related services. These timely programs cover trends and data security management issues such as cybersecurity risk management, HIPAA and OCR compliance strategy and vendor risk management. Meditology Services, the healthcare industry's leading security and compliance firm, moderates the discussions with leaders in healthcare data security.

Who is responsible for cybersecurity? It’s a simple question, but the answer may be more complex than you think. Listen in as we sit down with TJ Mann, Chief Information Security Officer at Children's Mercy Hospital in Kansas City.

TJ helps us understand why it takes a cyber village to protect healthcare organizations. We delve into the roles and responsibilities that various stakeholder groups need to play to support and deliver effective information security programs.

Highlights of the discussion include:

  • Which specific roles and stakeholders have the greatest impact on cybersecurity program effectiveness
  • Healthcare business units that carry the most risk for healthcare entities
  • Managing accountability for third-party vendors and shadow IT groups
  • The changing role of enterprise risk management in healthcare
  • Busting the myth that there is only one kind of end user
  • The tension and collaboration between security, internal audit, and compliance functions
  • The impact of the remote workforce on security roles and expectations
  • The evolution of security leadership and team roles and functions


Brian Selfridge: [00:00:19] Hello, welcome to the CyberPHIx, your audio resource for information security, privacy and risks specifically for the health care industry. I'm your host. Brian Selfridge. In each episode, we will bring you pertinent information from thought leaders and health care information security and privacy. In this session we'll be speaking to TJ Mann. TJ is the Senior Director of Cyber Security and Chief Information Security Officer at Children's Mercy Hospital in Kansas City. I'll be speaking to TJ about roles and responsibilities of various stakeholder groups in health care that support the cybersecurity and risk program.

Brian Selfridge: [00:00:53] There are some surprises in here and some great insights from TJ. And I think we can all take away some lessons learned from this one. So now let's get to another great conversation with yet another amazing guest, TJ Mann.

Brian Selfridge: [00:01:11] Hello and welcome to CyberPHIx, your leading podcast for cybersecurity, privacy, risk and compliance, specifically for the health care industry. I would like to welcome my guest, TJ Mann. TJ is senior director of Cyber Security and chief information security officer at Children's Mercy Hospital in Kansas City. He has a lengthy resume of experience in cybersecurity and privacy leadership, including prior roles with PricewaterhouseCoopers, which is also my alma mater as well. And he has served in other leadership roles, including with Bank of America and LexisNexis. TJ is an industry thought leader and has published valuable insights for the industry on a routine basis. And for that, we are very appreciative and thankful for that and we are very excited to have TJ as a guest on the CyberPHIx today.

Brian Selfridge: [00:01:53] In our session today, we'll delve into roles and responsibilities of various stakeholder groups and health care organizations that need to play a supporting role to help deliver effective information. Security programs takes a village, right. So, TJ, thank you so much for taking the time to be here with us today. And we're really excited to have you on the show.

TJ Mann: [00:02:11] Thank you for having me here, Brian.

Brian Selfridge: [00:02:13] So, TJ, this might be a short interview, right? The question we posed today is who is responsible for cybersecurity? While I see your title says things like director and chief information security officer and officer in chief. And so isn't it you aren't you responsible or is it is it that simple?

TJ Mann: [00:02:30] Yeah, it's a short question. Right. But but it's a lengthy answer to that, surely. While I'm accountable for for all things information security and cyber security in my current role. But like you said, it takes a village and like to start it off with one statement, that which is cybersecurity is not a task, it's a risk. So it already becomes challenging to say who is responsible for it. Well, when you when you have a risk. Right. And moreover, cybersecurity is an enterprise risk. So when cybersecurity breaches, incidents do occur and it's also a matter of when, not if they impact the entire organization and they don't disrupt one single business unit or one single team, they impact the entire organization. So its entire organization is responsible for reducing cyber risk by partnering with the cyber security teams and change the organizational culture. So fortunately, not a short answer on who responsible for it. There are multiple teams and almost every single business unit and various other ancillary business units are responsible for cybersecurity in their own way, in their own areas. And the key is to collaborate with the cyber security team and talk about business units. Those are the business units that are generating revenue, that are building products. When you look at from an accounting standpoint, cyber security is a cost center.

TJ Mann: [00:04:08] We don't generate revenue. We we protect the organization and we reduced risk for the organization. But the business units that are generating revenue, the lines of businesses and then other ancillary business units, just compliance, internal audit, enterprise, risk management, I.T. being one of the most critical partners and in reducing risk for them from a cyber security standpoint. And also we have our end users who are what I call them, like they're the first line of defense and many of the many of the cybersecurity threats that are thrown at us. And then you have some shadow I.T. teams. You know, we always like to go and do their own thing. And we are we have to go out and partner with them to make sure that they align with our best practices. And then you have external entities like vendors. Right. And we've seen in the last year some major breaches coming out of out of vendors, solar winds called Blackbaud. So vendors are equally responsible for cyber security in their own way. And like I said, all these teams have to work collectively to focus on one one goal of reducing risk to the organization.

Brian Selfridge: [00:05:28] So let's dive a little deeper into the nuances of those different groups, because it seems like there's a lot of players at the table, so to speak. Especially striking end user involved and end users involved in the business and all these different pieces. Maybe we can start with some of the less obvious stakeholder groups says I think that's a little more fun. IT and other groups we will get to in due course. They're probably the most important. But how about the business units? Are there are there certain business units that have more or less of a role to play with security and risk than others? And what are they?

TJ Mann: [00:06:00] Yeah, so, you know, I like to start off with the quote that I had in my article that the business is running at the speed of a Ferrari and and we have to play the catch up because like I said, they are the ones who are generating revenue. They're the ones who have products and they have to go out. Perhaps it's an extension of our current business model. Perhaps it's a new product that's coming out and being everything digital today. It's imperative to include cyber security and evaluation's include cyber security and product design and product security. So, you know, and then we look at threats, threat vectors such as business email, compromise and spear fishing and financial fraud that that occurs, that comes with it. So there are certain business units such as, let's say finance. Right. Let's take finance as an example. And you couple that with the C suite as of the end users as I like to portray them, even though they have a lot more authority and influence over their organization. And because of that authority and influence and access in their organization, finance becomes one of the in one of the top business units where cyber security teams should be partnering with them to help them understand today's cyber threats and help them understand how to spot them and how to report those cyber threats and what not to do right.

TJ Mann: [00:07:36] So let's take an example of a financial fraud. A CEO gets a spear fishing email and gets the account compromised and sends an email or to the finance these cyber criminals, then impersonate the CEO. We've been seeing a lot of spook domains as well and spoofed credentials. So Cyber Criminals sends an email to the finance department portraying as a CEO asking to authorize wire transfer on a Friday at three thirty PM saying, I don't have access to my phone. I can't do this right now. Can you just go ahead and pay this vendor with this account number two hundred thousand dollars? It's unlikely that a finance team who, which is not trained on cyber threats, will ask a question to the CEO like, hey, is that really you? What do you want? Why do you want me to do this? But this is outside of our normal process. Those questions are necessary and important. But because of this kind of player dynamics, the organization and organization can quickly lose funds because they're going to say, well, it's coming from the CEO. He or she wants me to send some funds and wire some money over to this account.

TJ Mann: [00:08:58] I'm going to do it. I'm not going to ask questions so similar to that. Let's say H.R. right. There is a treasure trove of personal information with H.R. and if and a targeted phishing attack on the H.R. group can disclose a lot of that if those mailboxes are compromise. And granted, controls like MFA really play a huge role in thwarting these attacks. And you look at other business units such as research, right. They have a lot of research data. And lately there's been a lot of discussion with that. We have nearly built research institute and there's we do a lot of research. There's been articles, warnings from FBI on involvement of nation state actors such as China on grabbing those genetics data for Americans for their own advancement purposes. So there are a lot of business units who have. Sensitive access to sensitive confidential information, which, if disclosed, can can result in huge fines and incidents for the organization. So so those business units are on the on the target list, but they can thwart those those attacks if they are trained appropriately on security awareness and security awareness trainings and if they're trained appropriately to spot these attacks and report them appropriately to the cyber security teams

Brian Selfridge: [00:10:38] You mentioned shadow IT in your intro here and also in that article you mentioned, I think you go into that a little bit. I want to talk about those business units that do have some degree of extra I.T. or shadow I.T. All these terms we use. You tell us a little bit more about that which which departments in particular in a health care setting. I know radiology usually gets a lot of attention. And in those types of groups, what are the departments that you need to sort of dig into to understand the shadow it and get involved from a security standpoint?

TJ Mann: [00:11:09] Sure, absolutely. So first of all, I like to say, you know, shadow teams probably were once created to better serve the organization, and they're usually a result of an immature I.T. or security department. And they needed to have something of their own small IT department who couldn't serve the needs for the entire organization. So certain groups in a health care setting, let's say biomedical clinical engineering, you mentioned radiology for sure. And then H.R. usually has a small I.T. team for their H.R. systems. And then you look at research, who is playing with cutting edge technology and who's playing with cluster computing. And this is playing with genetics research and advanced computing concepts. They usually have a small group of folks who are trained and skilled in those systems and are performing system administration or are handling their day to day system management jobs. So and like I said, these these shadow teams who are likely once created to better serve the business with all the right intentions, but they create a big challenge for cyber security teams. We like to lay out the governance and the policies and standards and how things should be done, what's what's OK, what's not OK, and what are those guardrails where we need to conduct business and not to slow down the business, but to help the business by reducing risk.

TJ Mann: [00:13:04] Right. So we can protect the business. But individuals deviating from best practices is a very common theme with shadow teams and then bypassing change control as another one of those teams and as they're developing and maturing their areas, including cyber and IT teams at a later stage and not from the beginning are some of the things that really hurt the overall cybersecurity posture of the organization. So obviously the best practice would Corl to consolidate those two teams into enterprise I.T. and cyber teams. But it's not easy. There's a lot of there's a lot of politics. There's a lot of organizational history behind it. And you can't just one day say that, hey, let's from tomorrow on, you don't exist. You're part of this team. So what a CEO can do there is to educate those shadow I.T. teams and educate them on best practices, train them on security awareness and extend the enterprise policies and standards to those shadow teams so they can become a partner with the cybersecurity team in identifying and reducing risk for the entire organization.

Brian Selfridge: [00:14:20] Now, with the research in particular, I find that that was always a particularly challenging group as those folks get grants and they go off and buy their "Apple this" and their "server that" and plug it in the wall and take it home, you all that stuff does that. What kind of guardrails can you put around those conditions other than education, as you mentioned, is there any harder guardrails around procurement or anything you can do to just get a handle on some of that?

TJ Mann: [00:14:43] Yeah, and that's something similar to what we've done in here as well. We've designed a robust procurement process where we've integrated contracts, supply chain research, I.T. and cyber security into this process, where we have visibility into, like you mentioned, new new medical instruments or new research equipment that's coming on site. And as you can imagine, with opening of a brand new transversely research institute, we're hiring a lot of researchers right now. And most of these researchers bring their entire, quote unquote, lab with them when they when they come from a different research institution. So these presents some unique challenges because you have equipment. They also like to bring the data with them. So they present some unique challenges in terms of, OK, how do you make sure that everything is is sanitized, go as you may want to say, or and then also come to the vendors. The vendors and health care industry are very unique where they like to sell their product along with a PC and along with a server and everything all its bundle deal. And they pose a big, big challenge to it and cyber teams because now those equipment, those those systems and that equipment has to be on the network because they need to do a poll or they need to push data somewhere else on the network.

TJ Mann: [00:16:23] And the vendors don't typically allow you to change anything or modify anything on those equipment. And you can't manage that equipment. Right. That's partly the reason. Also, those shadow teams exist because they have to manage those systems. So we've created a robust procurement process where any new procurement request goes through a process where cyber teams are involved and they perform a security review on the system and the product and the vendor as well. This is where you integrate your third party risk management process as well. So you're making sure that it's not somebody who's just building a product in their garage and sending it out. And there's no support. And there's they don't do they don't even care about patching new abilities that are coming out. So as things are progressing through the procurement process, we have a gate check process to make sure that a security review is done before the contract moves forward for signatures or issuing a.

Brian Selfridge: [00:17:30] So I want to circle us back a little bit to the these different stakeholder groups and talk about a topic that you mentioned earlier on here around enterprise risk and really looking at risk from that that lens. I want to talk about the historical health care enterprise risk management department. So and just a quick sort of anecdote for that. So when I was a security officer in health system years back and I was I was a bit wide eyed and naïve in some ways. And I got some of the risk management director who's director of clinical risk, enterprise risk, whatever they call it. And I said, hey, you know, we've got all these cyber risks and well, let's you know, let's not in line. Let me roll them up. You can report them out. We'll work together. And you she looked at me like a deer in the headlights and was like, Why? Why would I do that? I don't know what you're talking about. That's it. I don't know what was going through her head, but it was like, now you do not play in my world. And, you know, at that time, I guess, of clinical risk and financial risk were really what what the story was all about. And now I've been out of that table for a couple of years now. Has that changes? Is the conversation different or what role does health care, enterprise risk or clinical risk play and where the overlaps with cyber stuff these days?

TJ Mann: [00:18:36] Yeah, well, it's definitely changed. If you look at top industry risks for health care, you'll find cybersecurity usually in the top three. Granted, now you have there's been focus on business continuity and pandemic and emergency preparedness as well. But kudos to cyber security. We haven't lost a lot of position. So it's definitely one of the top risks for any any organization. And an enterprise risk management group plays a vital role in that because they exist to guide the CISO in developing and defining the cyber risk management program, which is then reporting up to the Enterprise Risk Management Program for the organization, because ultimately the CEO is responsible for cyber forum for managing cyber risks across the organization. But the CEO doesn't define what those risk tolerances may be. Right. And it's a business that has because in the end, it's a business decision the business has to define and agree on. If this is a risk that they would like to manage or if this is a risk we like to pass on to somebody, or if this is a risk that we like to mitigate or this is a risk that we just want to accept this risk. So the enterprise risk management teams can help a CEO validate the cyber risks as the cybersecurity team develops the risk register and and jot down all those risks from a cybersecurity standpoint that may impact the organization. And that's one of the first things, you know, any cybersecurity leader should be doing to understand the risk and threats landscape of the organization and the industry vertical and the sector that they're in to to really start figuring out what may happen and who are those threat actors and what are they after. So once you have that risk register, you mapping that up with the Enterprise Risk Management Group.

TJ Mann: [00:20:52] And then the Enterprise Risk Management Group liaises with executive management and the board of directors and ultimately the board of directors are are the ultimate body responsible for shaping any organization cybersecurity program, because it's their fiduciary duty to manage risk to the organization and cyber being aware of the risks those. So I talked a little bit about risk tolerances and risk appetite. Those risk tolerances are very crucial because as we are from a cyber standpoint, as we are implementing controls, those controls need tweaking over time and constantly. And that that tweaking depends on what our risk guidelines, guardrails, what is our risk tolerance? Are we OK losing one hundred thousand dollars? Are we OK losing five hundred thousand dollars? Are we OK losing one million dollars? That really depends on each organization's risk tolerance. So the Enterprise Risk Management Group helps the cybersecurity leaders define those risk tolerances and an overall liaise with the the executive management to manage cyber risk according to the organization's risk appetite. This is also a chance. You know, this is for all the cybersecurity leaders who may want more funding or resources. This is where you go and define where the risk is trending. Why do we need to? And if the organization says, hey, we don't like this trend that's going up, then that's where you come in and say, OK, well, to manage that. Here's my plan. We need X resources, we need Y funding, and here's the Z timeline that we will take to bring this trend line back into the restaurants that you'd want me to bring it to. The Enterprisers management plays a huge role in overall cyber security risk management.

Brian Selfridge: [00:22:48] I always found those groups to be particularly humbling to I mean, what I mean by that is when a security person gets in front of those groups, we get a better awareness of the other risks the organization was dealing with. Very real and material and imminent financial and regulatory and all the things, clinical things we have to worry about. It helped me take a step back and say, OK, I know cyber is everything to us. Right? And we've been so long jumping up and down and saying cyber is a big risk. But now it sounds like they know that, like we don't have to convince them that cyber security is a risk. Now it's more about where do we where do we fit in? I just always felt I learned a lot from that group in addition to just being the person to always be shouting about cyber security, which is an important part of the role.

Brian Selfridge: [00:23:32] So you talked about end users earlier. I'd like to go back to that if we can, because I think that's that's a big bucket and perhaps arguably one of the bigger challenges, I guess, of trying to engage the workforce in helping with the mission. Now, is there is there just one kind of end user? Is there or is it just we give everyone the training and everybody gets the same thing, or is there any more nuance to that of different types of end users? Or maybe how do you approach the end user base? Generally, that's a loaded question and go anywhere you want with that.

TJ Mann: [00:24:04] Ok, Brian, this is you know, when you when we talk about end users, it also varies with the industry. And if you're working at if you are if you're the cybersecurity leader for a technology company, you may have end users who are very tech savvy already. And if you're working like mean health care setting, you'll find, you know, end users who are not that tech savvy and rightfully so. Right. They're doctors, clinicians, nurses. They're they're training their academics. Their job is to provide medical care. And they use technology to provide that job. But they're not technologists. So they may not be very tech savvy graduates. Some are you know, I'm not generalizing folks here, but in a broad sense right there, they're focused on providing care and improving well-being for for their patients. So cyber security may not be on top of their minds. And as so, you have those standard users in a health care setting. You have the care providers, and then you have certain technology groups who may have more access than an a normal or a standard user, because that's needed to for their for their job, for them to to conduct their job.

TJ Mann: [00:25:34] And then you also have the executive management and the C Suite who, depending on how your organization's identity and access management program and practices are set up. I've seen where a new SVP or C suite comes in and asks for a certain kind of access and no questions are asked. And here you go. Right. So. But. Like I mentioned earlier, those sweet, sweet users also have influence and authority in the organization and they may have more access than it's needed. So there are a few different kinds of end users. And let's dive a little bit deeper into those standard users. As I mentioned, your your standard day to day and user who's doing their job and running the business and moving it along. And we've seen lately in the last last year, the last few years, the ransomware being one of the one of the top imminent threats to to the health care industry. And it's interesting to say that there were there were Maze used to be the major cyber major ransomware operator in twenty nineteen. And and I was reading a report by HHS that said that now there are 18 ransomware operators.

Brian Selfridge: [00:26:58] And Maze is gone. I think they yeah. They hung up their, they hung up their keyboards I suppose, and said we're not doing this anymore. They claim some high ground. We were doing this for the interest of the industry, OK, whatever. But they're not doing any more. So I don't know whether we believe that. But yeah, 18 groups, wow.

TJ Mann: [00:27:17] Yeah. And, you know, I mean, Maze was mostly focused on releasing or publishing stolen data, but now we have ransomware operators like, you know, and and rebel who are permanently deleting stolen data entirely or are targeting executives for ransom payments. So so what I'm trying to say here is that ransomware, the there are there are a few different vectors for ransomware to to enter the organization. And and phishing is one of the top vectors. And through email and obviously you have already passwords that also contribute, may contribute to that and a couple other vectors with vulnerabilities and VPN and so forth. But email continues to be that that threat vector for for majority effect. And without a cyber aware end user community, you just it's a ticking bomb. You know, it's going to happen one day, that somebody's going to click on something and, you know, and to no fault of them, we we didn't have email about, let's say, 50 years ago. And we used to have paper communications and memos and we gave all those end users email as a business tool to conduct effective communication. But like with any any tool, there comes some cyber risk associated with it. And it's it's the responsibility of the cyber leaders to train those end users on on spotting these social engineering attacks. And if they're trained to do so, they can contribute towards reducing cyber risk by following good cyber security hygiene practices. So a robust security awareness and training program really helps with educating and thwarting those those kind of attacks.

TJ Mann: [00:29:20] And that goes along with all kind of end users. Right. And but there are certain end users, like I talked a little bit about privileged users who may have more access than than a standard user because that's needed for for them to do their job. And these may be system administrators, engineers, developers, helpdesk staff usually has privileged access because they need to do password resets or or whatnot as part of their job. But their identities are even more valuable to cyber criminals. Typically, if you look at CyberPHIx kill chain once a cyber criminal is able to get their foot into the door, maybe with a phishing email, they then they move on to steal privileged credentials so they can move laterally or vertically within the organization and maybe stay down low and try to monitor what's going on. And here comes a different different hooks into the different attacks. So they can they can just stay low and just monitor the email communication between the CEO and the finance department and say and try to understand the the writing style of the CEO and then craft a particularly targeted and focused spearfishing email for the finance department. That looks exactly like how the CEO, the words the CEO uses and how the CEO formats and drafts the emails to make it look very legitimate. So it's very critical for the cyber teams to to protect those privileged identities and workstations for the privilege use. The best practice would be to give him a separate privilege, identity that they should be using to for their day to day tasks rather than their standard identity, and rather than giving excessive rights on their standard identity, give them a privileged identity that they can switch to to perform those tasks and switch back to their standard identity.

TJ Mann: [00:31:20] There are other solutions to that as well. For example, a privilege access workstation, a separate laptop or workstation that they only use for for those tasks. But those privileged users are a treasure trove for for cyber criminals. And then we come in to C Suite. Right. And I've mentioned a couple of times here, they have authority, influence and access privileges into the organization and in their typically on the top of the target list for cyber criminals due to that. So it's it makes even more important to conduct focused and targeted security awareness and training for those C suite because of the threats that they may be seeing. So they are cyber aware and they know how to report suspicious events to cyber security team. Usually we're sending out these security awareness and trainings and monthly or quarterly trainings. The C Suite doesn't have usually time for that. And, you know, they're busy with other things. So a focused training program for the C Suite goes a long way. And for them to know what to do, what the process is, if they've been compromised or if they've been send a phishing hook or if they've accidentally clicked on something that goes a long way because that can help us quickly mobilize and eradicate that threat from the environment.

Brian Selfridge: [00:32:51] Now, with it moving remotely, actually, the entire workforce moving remotely, but keep focused on it, since we're talking talking about them a bit, have those practices, procedures, behaviors changed or do they need to change for administrators, especially privileged access that are now remote? Can they still get to those special workstations that allow them to get the privileged access or do they? Is it no longer does that no longer make sense or do they still need to use their separate account? Like what? Is there anything need to be done differently with the remote IT workforce than traditional I.T. and user security protocol?

TJ Mann: [00:33:25] Well, so with with everyone going remote. Right. And fortunately, we were set it up, set up for it before the pandemic and we moved much everyone, like all the other organizations, we moved pretty much everyone to a remote worker overnight. So, you know, as long as you're following best practices, you're coming through a VPN into the organization. Now, we're also looking at other solutions, such as zero trust and building, getting rid of weapons in the future. So as long as those privileged, privileged users are coming through VPN and they're following those best practices of switching between their standard and privileged identity, everything stays on. Right. But with folks being remote and now not everyone connects to the VPN because you have cloud based SaaS products that you don't need to have be on the VPN or the organizational network to check your email or respond to emails or get into teams Corl. So it becomes the security awareness becomes even more important. And in that scenario, because those privileged users having them having an understanding of how important they are to cyber criminals helps the overall cybersecurity team to reduce stress to the organization. And they can continue to do their job the way they were doing. But having controls such as, you know, having a password vault where those privileged identity passwords are kept could be another control to mitigate any additional risk that may be coming from it. But having an understanding that these are the out practices and here's the policy and this is what you should be doing with your privileged identity would be helpful.

Brian Selfridge: [00:35:25] Well, we've covered a lot of groups and I'm sure there are more, but but we've certainly saved some of the best for last year and that means ourselves, security, compliance, folks. So I wonder if you could tell us a little bit about the role of internal audit compliance departments, whatever they're called in different organizations and security and and sort of their overlap. And specifically, I know some organizations, there's a bit of a there's a bit of an animosity between compliance, internal audit. Security groups sometimes grew up in separate universes and are auditing each other and auditing around the same topics. And that can create some conflicts. Have you seen that as well? Or is everybody is everybody pulling in the same direction here, or do you still see any of that sort of tension that goes on?

TJ Mann: [00:36:10] So I think there's there is a continuous effort and there is a continuous strengthening of the relationship that's needed for that to occur. Compliance is is good for cyber security. I know a lot of people say compliance. I actually say compliance is good for cybersecurity because they help us ensure that we're following all the regulatory practices and because the consequences. There are fines from a regulatory standpoint. So but a well built cybersecurity program should incorporate an organization's compliance requirements. But a compliance based cybersecurity program is just merely checking the boxes. And and like I said, they play a significant role in ensuring that we have the right set of controls in place to meet all our regulatory compliance requirements. And we don't get fined due to that. And in compliance also will highlight based on their compliance assessments, they help us highlight areas of improvement before a control is before a threat to exploit certain abilities under control that maybe that may have weakened or a control that needs more expansion into the into the business areas now or also helping with maintaining a healthy and controlled security compliance area within the organization. I'll give an example of the PCI regulation regulation here. It's massive, right? If you talk to any cybersecurity professional, PCI is a pain and I used to be an QSA so I can talk both sides of of of of of the role here. And I love PCI just because I've lived in that world for so long. But it's a pain to comply to. And the most important thing you can do here is, is manage your scope and make sure it's it's it stays small. Make sure there is a good governance process in place for new products that the business wants to roll out with the payment module component to it.

TJ Mann: [00:38:29] But from a compliance standpoint, that's where compliance and security in this example can partner and say, OK, yeah, we can expand our scope. These are the security controls that will go into and then compliance has to work very closely with security, cybersecurity to say, here's our scope. You know, these are the controls that are in scope. Let's make sure that these are in place. So I like cyber like compliance. I think they're good for cyber security, but they should not be the driver for cyber security when it comes to internal audit. I think a solid internal audit program is is saving grace in many situations because they they they help audit our controls. They help audit the different organizational programs. They they help identify gaps from security, regulatory and performance of internal controls perspective. The the only thing I like to see here is that because I think I'll audit fatigue, you don't want to get into that. And it's crucial to be a good partner with internal audit and train them on. What are the the evolving and emerging cybersecurity threats in in the industry so they can tweak their internal audit program to focus on areas where cybersecurity is telling them these are we know these are our weaknesses based on what's happening in the industry and what we're seeing out there. But they do bring an independent perspective, which I totally respect for on that and on improving our cybersecurity posture. So it's imperative to build good relationship, but internal audit and internal audit to seek input from cybersecurity leaders on building their internal audit plans, because that's how it's going to be a mutually beneficial relationship for. Both areas,

Brian Selfridge: [00:40:26] I'm glad you mentioned PCI as the example. We are a QSA as well in health care and health care, loves our big flat networks. Right? So you can always be a big problem for us. Well, we've come a long way, T.J., from our initial premise that you and the security team own everything. And now we've learned that it couldn't be more quite the opposite of all the different groups that we need to work with and need to have a stake in this. But now that we've we've touched on all those, would what's left for security to do what is how do you see security's role evolving or how has it evolved to to make sure that all these groups are doing the right thing, as well as what's left over for us as cybersecurity leaders to to do beyond the areas you've touched on around education and those types of things?

TJ Mann: [00:41:10] Yeah, sure, Brian. I think we still need to work towards getting more engaged and involved in the overall organizations priorities and strategies and goals. Usually, you know, and it and cybersecurity is looked at. You guys build servers or a you guys just protect us. So we'll come to you when we need you. That's not the case anymore. And with the with the evolving risk and threats landscape and with the digital transformation and how quickly we are producing and building new products and acquiring new technology, it's imperative that security, cyber security is brought into the game early enough. So we can point out those risks. We can point out where we may be taking on more risk than it's needed. We can suggest alternative solutions. So I think that still is evolving and that needs to be a continued focus. Moving forward to give a seat to cybersecurity on the table, give involve them early enough, get them in and and give them an understanding of where the business is going. But on the flipside, it's also the responsibility of the cybersecurity leaders to make sure that their cybersecurity programs that are aligned with business strategies and business goals. So they're not just there to put on perimeter defenses or buy a new shiny object like this is what we need now. But everything that we should be doing should be aligned to business strategy and a business goal which should be selling the business forward, not just putting locks and red tape because it's red tape. So I think that's what's needed. More more involvement, more engagement and more inclusion of cybersecurity teams in the cybersecurity group itself into organizational decisions or organizational strategies and goals.

Brian Selfridge: [00:43:19] Well said, and I think great closing remarks for us here as we as we wrap up this conversation around what we can all do. And it seems like there's there's no shortage of work for us to do as organizations. As we were you mentioned, we're in the top risk categories now, so that's good for us, but also in increased accountability and responsibility for us to make sure we get it right. So, T.J., thank you so much for your thoughts and insights today. This has been wonderful. And I can't wait to to share this with your peers and with with the audience here and really appreciate you taking the time.

TJ Mann: [00:43:51] Yeah, absolutely. I had a grand time, so thank you for having me as a guest and hopefully like you like to come back again when you need it.

Brian Selfridge: [00:44:02] Absolutely. We'll take you up on that.

TJ Mann: [00:44:05] All right.

Brian Selfridge: [00:44:14] Again, I would like to thank my guest, TJ Mann, for sharing his perspective on engaging the business in so many innovative ways to drive the security program forward. We learned from TJ that takes a cyber village to implement a security and risk program effectively. And I hope you're able to take some of these ideas back to your own villages and make them as safe as possible in the face of some pretty significant threats to each of our communities. As always, we like to have your feedback and hear from your listeners. Feel free to drop us a note about a topic you'd like to hear about or a thought leader you'd like to hear from as well. And you can reach us at our email address at CyberPHIx @ Thanks again for joining us for this episode of the CyberPHIx. We look forward to having you join us for the next session coming up soon.