Making the Cyber-Band: How to Assemble a Team of Security Rock Stars

TRANSCRIPT

[00:00:08] Welcome to CyberPHIx, the audio resource for information security, privacy and governance, specifically for the healthcare industry. I'm your host, Brian Selfridge. In each episode, we will be bringing you pertinent information from thought leaders and healthcare information, security and privacy. In this episode, we have a very special panel discussion with an impressive group of healthcare CISOs. The discussion is chock full of actionable insights from the decades of experience these healthcare security leaders bring to the table. We will cover a wide range of topics centered on cybersecurity staffing and team approaches, as well as discussion on the state of automation solutions and first hand lessons learned on implementation and security tools and solutions. We would like to hear from you as well. So if you have a specific topic or a thought leader you would like to hear from, just drop us a note at [email protected].

[00:01:03] Let's begin with some bios of the fantastic panel of experts we have assembled for this discussion. Our first guest is Andy Seward, CISO of Elliott Health System in New Hampshire. I feel compelled to read Andy's bio verbatim for reasons that will become apparent relatively shortly I hope. Andy commutes two hours each day to join his small but highly talented team of cybersecurity professionals at Elliott Health System in New Hampshire. Andy doesn't mind the commute because his teammates and boss are pretty awesome. Of course, he had a life before healthcare security every day for twenty seven years, he dressed like a tree as an active duty army officer. He saw the world. He parachuted out of perfectly good airplanes. His reward was to serve as the CIO of the United States Military Academy at West Point (Go army, beat Navy!) Then he retired. Stopped dressing like a tree, bought real clothes, but still dislikes ties. As a fervent follower of higher causes, Andy turned down high paying military contractor jobs in Washington, D.C., in hopes of a smallest, sleepy Post Army job at either the healthcare or education. He landed at Elliot Health, which turned out to be neither small nor sleepy, but hey, that cybersecurity. Andy loves his cyber team. Together, they have significantly reduced Elliot's cyber risk and implemented some cool cyber tools. They share a sense of serious, collegial professionalism sprinkled with the daily dash of humor. Andy he hopes that one of his three kids will someday become a cyber defender too, then he can really retire. But first, he has to pay those pesky college bills. So it might be a while yet. So we welcome you to the show and look forward to hearing from him and his many colorful anecdotes in the process.

[00:02:45] Our second guest is John Abella, system Director for Information Security and Enterprise Architecture at Main Line Health in Philadelphia. Prior to joining Main Line Health, John was the global head of cybersecurity operations at BlackRock, the world's largest asset manager. At BlackRock, John also managed the security engineering and architecture teams and led the first big data network threat assessment initiatives. Before BlackRock, John spent 10 years managing large scale PCI compliance efforts at some of the largest payment processors in the world. He was the VP of Information Security and Compliance for EVO Payments International, managing Compliance and security efforts for a network of over three hundred thousand small to medium merchants. Prior to his work at EVO, John designed and implemented the security program at retail decisions where they were processing billions of card not present transactions annually. So we welcome John to the show as well and look forward to his insights.

[00:03:40] And finally, and last but certainly not least, is our guest, Chuck Goff, IS manager, cybersecurity and risk at Dartmouth Hitchcock Health System also in New Hampshire. Chuck has been managing the cybersecurity program and strategic initiatives for the Dartmouth Hitchcock Health System for over six years. The program is centered on a best practice approach to risk management, with systematic assessments of business units, enterprise programs, information assets and new technology acquisitions. He has sponsored and driven projects ranging from machine learning based antivirus systems to user behavior analytics systems to privileged account management systems, enterprise level and identity access management, application privacy monitor, and the list goes on. He has been instrumental in refining and achieving adoption of over 35 new policies to support the NIST cybersecurity framework and has established a security operation center capability with staff monitoring of over 700 gigabytes of log data per day, of which we'll talk about in the discussion today.

[00:04:39] All right, let's get to our discussion. We've got an amazing panel and look forward to hearing from them on a variety of topics.

[00:04:48] Thank you guys so much. We're really excited to talk to this group of folks that have decades of healthcare security experience, among other experiences, and get a chance to talk to our topic of the cybersecurity staffing shortage as one of our sort of primary themes here today. We're going to meander around across a few different topics, but we're going to spend some time initially talking about cybersecurity staffing, some of the constraints that that's put on information security teams and your own teams here for the panel. And then we'll spend a little bit of time also talking through the role of security automation and tools and solutions that have come up in the market and how that may or may not impact the ability of teams to do more in maturing their programs while having less perhaps or more constraints on the human capital side of things. So lots to talk about, lots to get through. And really, again, thankful for the group for being here.

[00:05:42] So let's get started. I mentioned the shortage of qualified cybersecurity talent. It's a hot market. The skills are hard to come by. And when you do find them, they're hard to keep in many cases, as we've learned. And many of the studies that are out are sort of showing us that. And I'm sure you guys are living this. Question of the panel will go around the horn here. How is this issue manifested itself for you all in your team? Are you having to pay folks more to keep your existing team? Are you having high turnover and longer hiring cycles, anything like that? Andy, I'd like to start with you and see if this resonates with you. Has this shortage impacted you at all? And how is it manifesting itself in your world?

[00:06:25] Yeah, it really did, Brian. First of all, we did have longer hiring cycles. The issue was trying to find the person with the right fit. And in fact, for our second hire, when after I took over here, we had 16 different people come through and we went through even more resumes, of course, to fill a senior security analyst, kind of an all rounder position. And the trick was to find the right fit because we needed someone here in the healthcare space that both had some healthcare experience, but also could communicate really, really well verbally or nonverbally with the business, could be out there in the departments and be really effective. Turnover is always present. Yes, and higher pay is a consideration. But I found that by working with our local human resources team, we were able to address some of those situations. In fact, for that one I was talking about, that was a hard fill, had to go back to them and provide some data from some outside headhunters. Really went outside the system and said, hey, what would you pay in your area around in our case, Boston, for this kind of position? And by taking that data and going back to human resources, was able to make the case to grade the position appropriately and get the person that we really wanted.

[00:07:43] Awesome. Thanks so much, Andy. Appreciate it, John, how about your side? Are you seeing similar themes or anything different?

[00:07:49] Yeah, I mean, I think, the thing that really strikes us the most is absolutely the hiring cycles have been longer, especially as we look for more senior people. But being in the Philadelphia region, we're just competing with so many other businesses. Right. And there are no really interesting, good information security resources who don't already have some job that they love. Right. So it just comes down to a matter of are you going to be able to steal somebody from somebody else or are you going to find somebody who hasn't been in this industry and try and train them up? I can say from our side, we've been much more successful going out, sort of beating the bushes at higher ed and finding people that are smart and interesting and interested and then teaching them the security stuff as much as we can. And that doesn't work for all the roles, but at least on our more entry level roles, that's been the way that we've had to attack it.

[00:08:45] Thanks, John, so much. Chuck, how about your end?. I think you had to move for your job all those years ago, perhaps they had to recruit you. How has Dartmouth dealt with some of these staffing challenges?

[00:08:58] Yeah, it's a real challenge. We're further up in the woods from from Andy. So Andy is more likely to catch the fish coming upstream. And by the time they get up here, there's fewer in the river. And we're up in the woods, and so, frankly, we're in an area of the country where it's an ideal location for families with small children. But it's maybe not such a great location for people just coming out of school or young and looking for more of an active social scene. So we're competing based on our environment. Finding talent starts with finding somebody that really wants to stay here. And that that is a challenge. And then how do we retain our talent? And certainly as we're maturing the security program, I often say we're doing things that have never been done before. So there's an incredible amount of opportunity. And as Andy spoke to, how can we line up people's interests with the many opportunities that are available and standing up security program? So if I can really get people excited about work that lines up with what they're interested in, that's the best bet. And as we add more staff, there will be maybe less opportunity and will be more defined roles and responsibilities. But at least initially, we're very much trying to attract people with options and suiting or maybe customizing a position to the person more than trying to find the right fit for the position.

[00:10:30] Just a quick question to the group in terms of the retention strategy. If you're having these longer hiring cycles, it takes you sometimes a year plus to get the right people in. Are you doing anything differently to try to keep the folks that you have and what are some of the strategies you're using there? Andy, I'll come back to you on this one.

[00:10:51] Sure. For us, there's a couple of different things. One is just to create an environment where your people are happy and can perform well. So I was fortunate enough to come to an organization, that's part of what attracted me here to the Elliott, is they were building a program. And by building a program, if you have senior leader backing, you can go and get really great tools. So getting some really good tools was very important, being able to allow the people that we were hiring to come in at the same time we were selecting the tools to be part of the process and the discussion and choose the tools was also very important. I'm ostensibly the leader as the CISO, but honestly, getting the team together to be able to talk to vendors and be able to have those discussions to choose the right tool that would set our team was really critical. And then a couple other things in terms of the work environment. I try and feed their expertise and interests. There's plenty to do. And it's all good when you're growing a program. As you have a more developed program, you may become more task oriented or you may have to structure the work a little differently. But at least in the initial several three, four, five years and even later, if you're creative with it, I think one thing to look at as someone who's working with a team is just to try and find things that they want to do that are good for the organization. They align with it. It holds their interests, it feeds their intellect, and that's really helpful. Others will probably speak about training. We've tried to up our game on training and send our technical folks to appropriate training, and that's helped as well. We also have a telework environment, which has been a retention tool. I didn't initially see it that way, and I was a little skeptical of it, but it's worked. And the reason why it works is because they're all in. They're totally committed to their craft. And I just talk to them either through a WebEx or Skype session or a phone session, and we can work virtually very effectively. So I'll leave at that, pass to the next.

[00:12:55] Great, thanks Andy. John, I'll go to you on this. I know we've actually talked offline in prior conversations about the telework in particular and sort of what types of models are being out there. But either addressing that or other retention strategies that you have, how are you keeping your folks happy and healthy and not jumping down the street to the next big security job in Philly?

[00:13:15] Yes. I mean, I think we've been really lucky in the  turnover front and essentially basically had none. And I think part of it always comes back to training, right. Trying to make sure that people are learning the things that they're interested in doing. Certainly, we can probably do more here on the telework front. And I think that my team would probably prefer that a little bit more, not part of our corporate culture currently. But we've done a lot of things from an internal promotion perspective. Right. So we've actually gone out and done things. We've had an information security reading group that was open to all of IT. And what that's done is that we've gotten people interested in security that maybe wouldn't have been previously or found people who had an interest or a skillset that we didn't know about that were working in other parts of IT and been able to take some of those people and develop them into security staff. And I think going at it from that angle has also helped us a lot.

[00:14:16] Andy, do you have any impact of sort of the physical geography? Is Manchester better or worse for attracting cyber talent? You've got universities there, you've got some theatre options. But how does that impact your program, if at all?

[00:14:32] Yeah, that's actually an interesting question for us because in southern New Hampshire, we're just over the border from Massachusetts and really not that far from Boston, which actually places us in a really interesting position. And here's why. Boston is a nice hub for really good cyber talent. So the advantage we have is we can sort of make a bargain space, have a discussion with some of these people who are trying to make a decision as to where to go. So if they want to go earn a lot more money, they could definitely go down in the city, and they could work really hard down there. And that's, as Chuck mentioned, for folks who are younger maybe and really want a social life in that area. If that's what they want, that's terrific. But the bargain that we can offer on this side is this really great work space and this environment of you can come to work every day and do something and feel real pride in what you did because, you know, you were helping patients. You were helping our physicians and clinicians to do their skills, to do their things better, to provide that patient service. And so we may not pay as much, but being sort of a suburb, if you will, or a small city on the outside of a really large metro area does have some advantages because you get to recruit from a bigger pool and you just have to, like Chuck was talking about in the upper valley of New Hampshire, up in the ski areas and everything where he is, it's just an issue of how you phrase that. What do people really want? Do they want quality of life or do they want money? And you try and find the space there for them to choose what suits them and their family best.

[00:16:10] Makes sense. John, do you have any perspective on that being in the sort of metro area? You made a comment earlier about sort of the other opportunities in town for cybersecurity. Do you see the geography playing advantages or disadvantages from your perspective?

[00:16:28] Yeah. I mean, I think like I said, we're certainly in an area where there's fierce competition. There's not not a person in our IT group that doesn't get a call or two a week to work across the street from exactly where they sit right now. So that's always challenging. I think one of the things that has come up and sort of gotten us with some of the some of the newer staff, especially some of the staff that's just coming out of college, is we are on the outskirts of Philadelphia and we're actually having a challenge in that some of the people that we want to hire and live in Philadelphia and don't have cars. They want to come out here by train, which gets them close, but it doesn't get you to walkable distance to my office. It's actually sort of a unique problem. We've got some people who have taken roles here who end up buying a car to leave at the train station, essentially. But that was a challenge I think that that we hadn't anticipated. So many of the candidates that were interested and interesting to us would live in the city and not have an immediate way to get out here.

[00:17:33] Ok, I think we've identified the need for the cyber shuttle line item on your budget where we'll bring folks from the train station over to the office. It will bring highly qualified candidates in. And so thanks for that. That's a tricky one. I want to pivot here a little bit to talking about a resource that's been, I think, underutilized historically in cybersecurity and a lot of technical jobs, and cyber roles have evolved from being traditionally viewed as a very technical techie kind of job to something much more broad when you look at risk and other aspects of the cyber protection roles that are out there. And that's looking at women in the cybersecurity work space and the growing number of females that are becoming available and getting trained and being able to to come into to the space. Andy, I'll start with you again here. Have you noted this trend at all? Have you sort of made many inroads with being able to bring more more females into the cybersecurity workforce or any perspective you have on that front?

[00:18:42] Yeah, we're actually quite lucky here at Elliot Health. 50 percent of our team is female. And it would it would be nice if I could say that it was done usually by design, it really wasn't it. It came that way because they interviewed, it depends on the case. It's just who came and who interviewed and who really was a great fit. And in this case, our security engineer, for example, she is outstanding. And she's female. Our application security senior analyst is female, and we're actually consolidating with another health system in Nashua, New Hampshire right now, when that consolidation occurs, if it occurs in and the two teams come together, in fact, it will go to greater than 50 percent female on this particular team. So I guess my point is, is that these talented women are out there. We just need to find them and bring them in and make them part of the team. And we'll all succeed that way. I think there's a lot of talent out there just waiting to be hired. And where possible, our team members try and help others along, male or female actually, but they try and identify people who have an interest in the cybersecurity business and cybersecurity talent, and they try and help them develop that talent. So I think the future is good for this, but it's going to take a little while to shake out. But they are out there.

[00:20:15] I'll hand over to John.

[00:20:17] Yes. So our team is about 40 percent female, but we're sort of in the same boat. This wasn't something that we went out and pursued. I also run enterprise architecture in addition to information security, and our enterprise architecture team was two thirds female. That's just been a natural progression of trying to interview people for the roles. I don't think we had to go out and talk to recruiters about any kind of special request. We've just had really, really great candidates come in and be a good fit for what we're looking for.

[00:20:58] That's great to hear. Chuck, any observations, perspective from the Dartmouth side?

[00:21:05] It's an interesting dynamic that we have here. The privacy team is exclusively female and the security team is exclusively male. I wouldn't choose for it to be that way. It's how it's fleshed out so far. I think we ought to take serious consideration about how we write our job descriptions in our postings. If I look across the fence over into the technology organizations, same type of thing. The IT folks, the server, the network team, I think there's one. But you look into the application teams or user support, it's a really good balance. So, you know, I'm taking it sort of to point that I need to revise the advertisements that we're putting out there to appeal to a broader audience. I think maybe we've emphasized tech too much. And absolutely, going back to the first question about finding qualified cybersecurity resources, I think for us it's imperative that we grow our own. So I'm very confident if you find the right fit, we can develop them. We'll probably get into it later, but what are the skills, what are the competencies or the attributes that are most important? The summary is we're probably causing our own problems, by the way we're posting jobs, and I hope to do better at it.

[00:22:28] Well, that's good. Great insights from everybody. I'll share our side as well. We're about 50 percent female by design, though I think in a large part. We spent a lot of energy retaining our phenomenal female workforce. We've got a women's group. We've got focused efforts on that. And it's been a real blessing for us in a field that is sometimes hard to balance out with those skill sets. So I really appreciate you all sharing your thoughts there.Let's let's switch gears a little bit. Change up our our discussion points a little and talk less about the human side for a minute and more on the automation and technology side of things. You start looking at automation of technology, you start looking at artificial intelligence and these burgeoning capabilities and tools with the potential that these solutions are going to help our humans be faster, smarter, quicker, help us mature our security programs more effectively. And so we've got a couple of questions for the group around how and if security automation is helping to get more done with less physical human capital, or is it helping us at least mature the programs? Are we having to add headcount now to sort of managing care for the the tech? So let's talk about that a little bit. Andy, I'll flip back to you on this one. Do you see automation sort of helping your program move forward? And what impacts, if any, does it have on the personnel side of things?

[00:24:05] Yeah, it can only help. And the reason why it can only help is because it's an augmentation where it makes us either cover more hours, in other words, what our people are doing in the regular business hours, but it extends into the evening or over the weekend and stuff, so it can help with that. It can also cover more areas more efficiently by a lot of these tools that we have today are getting much better in terms of providing a dashboard that's much more efficient. And that's through automation. That's through consolidation of logs and other data and feeds that give us a much more comprehensive picture at the point of the console where the human does meet the system. So it's both an augmentation outside of the human and also to the cybersecurity defenders that are doing their work. I see it as a total advantage for help. If you think about IT in cybersecurity, I mean, cybersecurity really wasn't a big deal until like around 2000 to 2003 or 4, at which point the script kiddies and the other things came up. So what happened is all these I.T. teams grew and grew and grew with server sections and help desks and everything else. Cybersecurity is coming late to the game. And the little secret is, is that we have to still cover all the same ground that your regular IT team has to cover. We still have to cover servers and storage and applications and provisioning and access. And so if you can use automation as a way of essentially getting an economy of scale to cover all this ground better with fewer people, I think that's all for the good.

[00:25:46] Excellent. All right, so one vote for the robots are helping. John, what say you?

[00:25:52] Yeah, I mean, I think I'm on the exact same page. Right. The automation aspects for us are really about making sure that people are spending time where it's most valuable. Most of the things that we're talking about, from automation and especially from an orchestration perspective, are can I have somebody commit whatever it is, 16 hours now, to work on automating something, to never have to do it again and to free them up to use their limited time in a day on higher value things. To me, it just sort of comes back to being a Unix Sysadmin mid 1990s where, you know, our ethos for hiring people was to hire people that were systematically lazy, intentionally. Because those were the people who would never do a manual process twice. They would stop the second time and they would write a script, and they would make it so they didn't have to do these tedious things. I really look at  the security automation tools in the same sort of way. My team has spent a lot of time in making sure that the second or third time they have to do something that they have an automated way to do it or that they're working on a way to orchestrate it and streamline that. For us, it's almost been like a force multiplier in that we get back more valuable time to work on the higher impact things.

[00:27:13] Excellent, and Chuck?

[00:27:15] You know, it's interesting. Like I said in my bio, I came out of some other sectors, which were much more mature in their enterprise processes. Coming into healthcare, both in IT and in security, what you see are some organic evolution of processes. And so there are distributed functions buried all over the place. And inherent in that is a lot of manual work, unnecessary manual work. And at the same time, we're growing a healthcare system. We're now upwards of 14000 employees. We're bringing in member affiliates at a rate of one to two a year. It's just not feasible to be maintaining archaic manual processes. And so you got to begin with the end in mind. What is it that we're trying to achieve? And we have to scale. And you need automation. You just can't hire enough people. I said we're looking at maybe 700 gig of log data a day. Well, how many people would that take? So, bringing in automated tools for behavioral analytics, automating the identification of vulnerabilities in our systems and then mapping that to the owners of those systems, so they're automatically notified that they have critical or high vulnerabilities. It's imperative for us to do our jobs. You know what is also interesting is that you can sort of market this and say, look, you can develop a full time career. You can be a Splunk administrator and go on and do very well economically or some of these other tools that we're bringing in. So it should be attractive for the right candidate to say, look, I want to master some of these automated tools then I can go on to do something more than just be a security analyst. I can be a security architect or engineer. So I think it brings a lot of opportunity and it's absolutely necessary.

[00:29:12] Brian, this is Andy. If I could just add, I think those were great points by Chuck. The thing that's different here is, at least I'll just speak for myself, I don't feel a threat from automation in cybersecurity. I just see potential. We're small. We're never going to be big. Money's tight. That's that's the way it works. So automation gives us that augmentation advantage to cover more ground and do some of these things to get rid of some of those manual processes that Chuck was talking about. That may be different over in, as he said, the more longer term developed side of IT, the traditional IT that I came from and many of us came from. In those areas, maybe automation is seen as potentially job threatening. But here in cyber, it's like just help me do our job better and cover more ground.

[00:30:03] So, Andy, what are some of the functions and security capabilities that you think are most conducive to automation? So Chuck talked about the 700 gigs of log data and sort of trolling through that. That's a great use case. Where do you see the most benefit in what types of technology you think you get the most bang for the buck?

[00:30:23] In a couple of places. One really obvious one is medical device management. It's an area in cybersecurity that's really worried us with all of these infusion pumps and telemetry devices and IOT devices out there within our hospital systems. And I'm sure it's the same in other industry sectors. So anything that you can do to sort of understand your environment, inventory it, and be able to get useful, actionable data off of, that's an area where automation can definitely help us. I think in general, just in a more general sense, you can use it in terms of just organizing your work in order to structure the things that you need to track. We all have these security frameworks, and we try and look at our security world and say we're doing well in this, but not so well over here. And tracking those things and how you're doing in a risk registry sort of environment, those are very helpful things where automation could probably grow and help us in the cybersecurity world. And the last one that comes to immediate mind is auditing. So our crown jewel, if you will, is the patient data and the patient data is residing in a large electronic health record system. And in our case, we happen to use a product in this case, FairWarning. There are others, but FairWarning. We use that to be able to audit those are people going in and touching that confidential data so that we know whether it was appropriate or not for them to do so. And in fact, we use an automated managed service on top of that. That sort of queues up if the search or the audit finds something that maybe wasn't looking right, then it can queue it up to the privacy and compliance folks to say, hey, we better take a closer look at that. And it actually develops all of that, which saves them a lot of time. And if you do the math on it from a return on investment, it's worth it. So those are three areas that I can see.

[00:32:13] Thanks, Andy. And John, apart from the scripts here and there that you mentioned, the team is sort of innovating their manual processes, where do you see the most beneficial use cases for automation?

[00:32:25] Yeah, certainly on our side, I think one of the biggest things in automating really the work that we did with our MSSP, not only sort of outsourcing that low level monitoring and alerting and sort of first level internet response, but then actually automating what happens when those alerts go off. So when you start with a new MSSP and you're working through the process, when you're not a mature organization, the MSSP notices something going wrong, they do what they can. At 3:00 in the morning, they start going down a phone tree and calling people. Where in a kind of organization that we run now and the kind of place that we want to be, now we've worked with our MSSP to get them set up so that when they have something that needs to be escalated, it just calls into our service now and opens a ticket, it goes to the appropriate group. It gets set with the appropriate priority based on how severe they think it is. And that took some time to get all that right, but now there are things that used to be what I would consider sort of the first line information security team incident or an issue that required our intervention that we don't even know about now. We see it in the dashboard. We don't have to handle anything about it. It comes in the middle of the night, it gets sent to the right team. If it's a low hanging fruit kind of thing, it goes out to the field services staff at the right facility, and they handle it. That's really the kind of way that we want to deal with it.

[00:34:04] All right. So we're clearly in a love fest with automation. This is good. It's a good trend. It means we're the tools that promise. I, however, might have to be the one to call the baby ugly here. Question is, are there downsides here, especially from a staffing perspective? And Chuck, I'm going to come to you first for this one. When you look at having to implement these fancy new fangled tools, this Splunks, the whatever else it may be, do you end up having to go out and hire and retain or train to very limited and specific skill sets around a tool or tools? And how does that impact your sort of spend in your program? Does that change the way you look at the assembly of the team? Any thoughts there? Start with Chuck and we'll go around.

[00:34:50] Yeah, thanks, Brian. No, I'd say probably one of the challenges we have is the speed at which we implement things in healthcare because we're so busy with the operational work that standing up some of these new tools probably takes longer than most businesses would like. So because of the duration, or the time cycle, to get the tools implemented and up to speed, I think it creates a level of awareness around the organization and provides opportunities for the grow your own type approach to be effective. We may or may not choose to have a technology implementer assist us with standing up some of these technologies. Form a team, and it doesn't take that long once you have a team that they start to acquire the skills and become become rather adept. Our philosophy is as much as possible to have our own staff managing these tools. We prefer not to go into managed service contracts, if at all possible. I mean, that sort of flies in the face of a lot of other sectors. But that's how we do it. So I see it as an opportunity, and some of the things that we have done, bringing in like identity management solutions or user behavioral analytic solutions, I've witnessed that very approach where people pick up the skills and over the course of a year, maybe they go off to a conference or two and they start rubbing shoulders with their peers. And after after two years, you've got some fairly seasoned experts in these new tools. And I feel pretty good about it that we've got state of the art tools and we're developing expertise. So if you want to get something in, slam it in and get it done quick, that's a whole different ballgame. But if you've got a year and a half to bring something and build the skills, then that seems to work.

[00:36:47] That's great. I'm sure some would argue that the idea of slamming in a large enterprise automation tool and trying to get value out of it right away is perhaps a little misguided. And we've all been there and done it. So I realize it's tempting in the right spots. Andy, do you see any downsides here to specialization of resources needed and the skill sets that come with having to manage these tools?

[00:37:11] Well, yes and no. I know it's a wishy washy answer, but it does take more time. It may be very cool for your security team. They may believe in this tool and everything else, but if it's a tool that shared beyond security, you also need the buy in and the processes built, an enduring process with your infrastructure network, help desk, desktop support, whatever applications people, as well. That takes a little bit longer. In other words, if the tool is very narrowly focused, and it's really just run by security, I think rolling it out can be pretty quick. But the more automated the tool is that requires more than just your security and you've spread it across a much bigger group, it becomes more difficult. So it just takes more time.

[00:38:03] Makes sense, John, any perspective from your side?

[00:38:06] No, I mean I think the issue we always run into, especially if we're going out and hiring, is that we're just finding people that are super specialized and they're absolute pros in all the tools that we have no interest in. Right. And that doesn't mean they can't learn what we need, but it also means that out of the gate, they're not going to necessarily bring a huge uplift to our skillset. Around here there's a lot, a lot of people that are really good at ArcSight. That doesn't help me at all, though.

[00:38:39] It's like all those BlackBerry admins that are out there floating around. Yeah, I sometimes have had to counsel especially folks younger in their career, like, look, learn the skills, learn the tool, get good at them. A lot of times those skills are applicable across tools. But don't lead out with I'm a X vendor X product person. You're going to need to be a little wider because these things come and go, and they're great for short term revenue boosts, but career wise, you're going to need to broaden your portfolio a bit. So this is a great conversation, we're moving right along. I'm going to move us to the third sort of major piece of our discussion here. Let's talk about how to find the best talent out there. Those purple unicorns that are so mythical and hard to find, the right skill set. They know the tool, but not too much. And they know how to do risk management. They know policy. And they can speak like a human being to the business stakeholders and the like. It's hard to sort of mix all this together. So I want to talk to the team, just sort of leave this a little bit open ended about what are some of the characteristics of, in 2019 and beyond in particular, of security resources that you're looking for, especially if there are folks listening that may be sort of in the market building their careers. What type of skills and capabilities will they need to have to be successful? What does that look like? And maybe what are some candidates that you've vetted that were the right fit or the wrong fit? And how do you just flush all that out with the candidate pool as you're looking to hire up for your programs going forward? So Andy, we'll go to you. We'll go around the around the horn here, and then we'll go from there.

[00:40:20] Yeah, I'll just add a couple right off the bat. I mean, I mentioned before people who are very, very good with their communication skills and who can represent and explain cybersecurity across technical and professional boundaries. That's really, really helpful because then you can get people to understand and back what it is that you're trying to do. Another one is we have tried to attract people who are willing to share their expertise, who are comfortable in their own skin and their own expertise to the point where they actually want to grow other people around them. They don't hold their expertise to them and control it or control the information around it. They really give it away. They want to build up this cybersecurity area of professionalism that they're working in and they want to collaborate with other people. Maybe that's a separate sort of thing, but we have a very strong collaboration ethic here to share information across even rival hospital health system lines between cybersecurity teams. And if they were unable to do that or felt uncomfortable with doing that, I think that would be a problem. They also like to own their work so they feel pride in their work, which is really important. And then two last things that I'll just leave that are kind of quirky. These are things that maybe folks haven't thought of before. And I fell upon the first one just by sheer dumb luck. The first one is hiring people who were literally constrained and unhappy in their last job. People who come from locations that have a lot of talent, but really they felt like their wings were clipped. If you can give them a good environment and lots of great tools and a place to grow, you're going to watch them blossom. It's awesome. That really works, so if you can tease that out through the interview process and things, that's paid off handsomely for us. And the last one is a simple one, a sense of humor. We do a very professional and deliberate job every day that's very serious. Cybersecurity is a serious business, and it carries risk. But if you carry it with a sense of humor and the team has a sense of humor about it, I look for those people that have that sense of humor. They see the humor in things with their intellect. I think that's important as well.

[00:42:33] If we didn't laugh, we'd have to cry, I guess is perhaps applicable to cybersecurity at large.

[00:42:39] That's absolutely true in cybersecurity. Yes. Brian.

[00:42:44] So, John, same set of questions to you. What do you look for, what types of characteristics for your team as you look to build up going forward?

[00:42:52] Yeah, I mean, I think one of the things, and it a little while to figure out how to interview for it, but we're really looking for people that are intensely curious. Right? We want people that absolutely question everything and are willing to really dig when their instinct says they need to be digging. And that I think for us has really paid off the most. Certainly, we try and do everything we can to keep people engaged, but, when we're looking for people, curiosity is probably the biggest thing we're looking for. And all the other stuff matters. We're less focused on getting people with the best communication skills. It doesn't matter to me if my team spends all day talking to each other. My job is to go out and sell the ideas and sell the business on what we're doing. And my team can work whatever way makes them comfortable.

[00:43:49] Excellent. Chuck, you'll close us out on this question.

[00:43:52] I really appreciate the comments that John and Andy made. I would echo many of those. It really boils down to a couple of factors. One is I'd like a player-coach. We're growing in a lot of capabilities that we're not extant in the organization prior to the past five or six years. So we need to have people that can understand their position, but more than that, become a coach to others and look across the siloed organizations and say, OK, how can I use these tools to help others in the organization achieve their goals? So there's a certain degree of empathy. That curiosity that John spoke of, it carries over. Well, I'm curious about how it does my job, but how can it also help the datacom team or the server team? And just a certain degree of patience. We like to make security the most important thing ever, but frankly, the business has other ideas. They're trying to grow the business. They're trying to extend IT into member organizations. And in many ways, we're sort of an insurance part of the company. So helping others do their job, having patience and maybe resiliency. So maybe you don't get what you want today, but come back tomorrow and just keep at it until we can prevail and implement what it is we need. Those characteristics of empathy, of curiosity, of resiliency, of patience, and becoming a player-coach are just the things that I look for.

[00:45:35] Well said and well put by all. So thank you guys so much for your perspective on that topic as well as the others.

[00:45:47] Again, I would like to thank our esteemed guests for a sizzling conversation on a range of topics centered on building an effective information security team and program. I've taken more notes here than I can recap on all the gems and insights this group has put forward. I'm very thankful for these colleagues to take the time out of their cramped schedules and help share their experience with us, as well as with the industry at large. We learned a lot today, that's for sure.

[00:46:09] As always, we would like to have your feedback and hear from you, our listeners. Feel free to drop us a note about what topic you would like to hear about or thought leader you'd like to hear from. Our email address is [email protected]. We look forward to having you join us for the next CyberPHIx podcast coming soon.