More Data, More Problems | Scaling Enterprise Security Risk Management

PODCAST TRANSCRIPT

Brian Selfridge: [00:00:17] Hello and welcome to CyberPHIx, the audio resource for information security, privacy and governance, specifically for the healthcare industry. I'm your host, Brian Selfridge. In each episode, we'll be bringing you pertinent information from thought leaders and healthcare information security and privacy. In this episode, we'll be speaking with Britton Burton, who is the director of Risk Management, Information, Protection and Security for HCA Healthcare. I'll be speaking with Britton about managing information security risk at scale for very large organizations with hundreds of hospitals, outpatient facilities, administrative and other locations. I'm excited to hear from Britton about his experience and insights about handling information risk decisions across a wide portfolio of systems, applications and functions. So let's dive right into it.

Brian Selfridge: [00:01:05] Hello and welcome to CyberPHIx, the leading podcast for information security, privacy, specifically for the healthcare industry. I'm your host, Brian Selfridge. I would like to welcome my guest, Britton Burton. Britton is the director of Risk Management, Information, Protection and Security for HCA Healthcare, the largest health system in the United States. Britton is responsible for managing security risk across the organization's expansive network of hospitals and healthcare delivery facilities. Prior to HCA, Britton worked for several years in marketing community relations at Vanderbilt University Medical Center and completed a Masters in Computer and Information Systems Security and Assurance from Lipscomb University. I'm really excited to speak to Britton today about managing enterprise security risk management at scale, in particular, including how to collect and analyze risk data efficiently to inform risk decisions for the business. So really excited to have you here, Britton. Thank you so much for taking the time to be on the show.

Britton Burton: [00:01:57] Hey Brian. Great to be here. Really appreciate you giving me the opportunity and looking forward to talking to you.

Brian Selfridge: [00:02:03] All right. So I mentioned that word "at scale," Britton, up front. I think you've probably got one of the more unique perspectives on scale and trying to figure out how to apply information security, risk management processes to a wide range of physical locations, systems, applications everywhere else. And as we have digital health now becoming pervasive inside and outside of healthcare settings in the patient home and attached to patients and all kinds of things, maybe you can tell us a little bit about the scale that you have to deal with and maybe some on the playing field that you've got to worry about that might be different from others.

Britton Burton: [00:02:41] Yeah, absolutely. So at HCA Healthcare, we've got about 180 hospitals, 170 surgery centers, 100 plus urgent care locations, thousands of physician practices and many, many multiple dozens of other kinds of outpatient specialty locations. In addition to that, we have several integrated lines of business that support the operations of a modern healthcare company. You know, from supply chain to staffing to billing and accounting, integrated labs, I.T., I mean, you name it, we've got it. So I think basically every major technological challenge that you can think of in a modern healthcare setting, it probably exists somewhere in our environment, because we touch almost every aspect of the care delivery cycle and we do it at scale.

[00:03:31] So there's thousands of unique applications. There is an enormous fleet of medical devices from tons of different manufacturers, lots of mobile innovation and third party systems, telehealth. And all of this is happening at lightning speed and, you know, distributed across the country and even other parts of the world. Hundreds of thousands of users, complex integrations, complex business relationships, matrix organizations, basically, you name it. We're probably dealing with it at some level. So it's an amazing challenge. It's exciting. Sometimes it's difficult sometimes. But, yeah, there's definitely scale and we're definitely dealing with this.

Brian Selfridge: [00:04:13] So I always laugh that there's some organizations, some folks that come outside of healthcare security folks, will say, oh, you know, you've got to start your program and understand where your sensitive data is. And, you know, make sure you've got processes to prioritize and categorize all that information. But in healthcare, it's everywhere. Right. I suspect everything you just mentioned there is PHI sensitive information somewhere. How do you even begin to wrap your head around just understanding what's out there? What types of ways can you even just figure out what you have, where it is, even before you worry about trying to figure out how to protect it?

Britton Burton: [00:04:46] Yeah. I mean, first, I think you work under the assumption that there is PHI everywhere. And of course, that makes it difficult to prioritize certain things or to focus on certain systems over other systems. But you have to just make that assumption that it's pretty much everywhere. And so how do you build sort of a trust nothing environment without completely binding and gagging your business to the point that it's inoperable? So I think like most organizations, whether you're in healthcare or not, we're tackling the challenge of asset and lifecycle management. And, you know, it's an enormous challenge, but it's something that you've got to do. And probably every healthcare organization is on a different leg of that journey. Even things that are conceptually simple, like building a CMDB with data sensitivity tax for your server assets. I think in smaller organizations that's really challenging. But the bigger you get, the more challenging that gets, just as the volume stacks up. But finding a way to make that a discipline within your I.T. shop is really important. And it also takes leadership. You know, it can't just be a, let's assign some desktop analysts this task because of the amount of discipline it takes, the amount of rigor that has to be applied. You really have to have a leader who has that as a responsibility. And says I'm going to champion this, I'm going to take it to the highest levels of the business, and we're going to mature ourselves in this asset space. And really, until you start doing that, the best you can do is assume PHI is everywhere, and you never begin to narrow it down to, yeah, but there's more of it here than there is there or, you know, whatever version of maturity you can begin to build towards. And I think that's so key is just start and start building maturity. And by next year, you'll be in a better place than you were this year.

Brian Selfridge: [00:06:45] Are there any areas that tend to get over looked? Like I see some organizations who will focus on all of our controls around the electronic health record. And we got that, you know, Fort Knox-ed, and then there's all these other assets and things floating around out there. Are there any areas or assets or parts of the business that you think sometimes healthcare entities can overlook, and security risk people might do well to turn over those rocks and make sure they're looking in some uncommon places?

Britton Burton: [00:07:15] Yeah, absolutely. I think the two most obvious answers, so I won't even spend a lot of time on them, but they have to be mentioned, are mobile devices and cloud. Right. The ease of users being able to download what they need to use those devices is such that it's going to happen. Right. And when you're dealing with PHI, and you assume it's everywhere, it also means it's really easy for PHI to get in the cloud or to get on mobile devices that may not be under your control. I think everyone's somewhat aware of that and is working to address it. Not that that makes it simple to do, but they're at least working to address it.

Britton Burton: [00:07:51] Two areas that I think are interesting that I don't know if everyone has thought about or is actively working on, but you can actually do some things to easily address and maybe get some quick wins. Think about your share drive, SharePoint, Internet, you know, file storage, file sharing tools. That's unstructured data. So it's not really the first thing that everyone thinks about. You already said EHR, that's obviously one of the first things that comes to mind. But it can be unbelievably valuable or unbelievably damaging from a data standpoint in terms of what's there. And, you know, it's also really easy for that stuff to turn into the wild, wild west. You have your access provisioning processes that you use in more structured data contexts. Do those tie into your role-based provisioning for your SharePoint infrastructure or your share drive infrastructure? Do you have some basic permissions settings, checks? And do you routinely check for that? It's really easy for those to get out of whack, especially if you have a distributed provisioning environment and, you know, anyone, anywhere can set up a SharePoint that their department has access to.

Britton Burton: [00:08:58] Another one is B.I tools and dashboards. Right. Modern business runs on BI, and, I think, most organizations do a pretty good job of locking down the underlying databases and the data stores that are used that your data science or your data analysts are using to create these dashboards. But the actual provisioning or the access to the dashboards themselves could also be the wild, wild West. And so it's a similar question. Do you apply the same standards you would apply to a more traditional application to that? And do you know who's accessing those things? Because usually they're more like trended data and that kind of thing. But usually you can drill down, and you can get into what is considered sensitive data, even though you may be starting at a top level with trended data and big trends for the enterprise. It's not difficult to get down into what would be protected data.

Brian Selfridge: [00:09:55] It's funny, you mentioned the BI tools and the shared drives. So we do a lot of these pen tests, ethical hacking stuff. And I remember I was out at one organization and they were sort of talking about, oh, we've got it all locked down. We're gonna catch you. That’s fine, I hope you do, that's why we're here. And we found seven copies of the production electronic health record database, seven full production copies elsewhere for BI Purposes. And they were just in like, you know, test 1, test 2, analyze this, population health, other over here, some on shared drives. Lot of times, we'll grab them, and no one ever sees us coming. They don't know we were there. The auditing isn't there. Yes. It's just terabytes of data just floating out there that nobody's really paying attention to all the time.

Britton Burton: [00:10:38] Yeah. Yeah, absolutely.

Brian Selfridge: [00:10:40] So when you've begun, I'm going to say, begun to get a handle on where all your assets are, I don't think any of us ever have that 100 percent. I don't know if you've got that figured out, we'll ask you about that. But when you have a sense generally of where the assets are, what's out there, what are some of the types of risk data that you find more useful than others? I mean, you could collect information about vulnerabilities or the PHI. What are some things that you want to know about that asset that are going to be the most useful for you from a risk perspective right off the bat?

Britton Burton: [00:11:12] Sure. To a certain extent, I think any information you can get has some level of value. The hard part is figuring out what that value is. You know, when you talk about vulnerability scan and remediation information, I kind of consider that to be this continuous undercurrent of activity that you just have to be doing nonstop for security purposes. There are certainly trends and there can be watershed issues that arise through vulnerability scanning and remediation efforts that can force global risk management decisions based on the lifecycle of that work. But a lot of it is just staying on top of it as much as you can from a daily basis because the threat world moves so fast. And from a risk standpoint, you're often looking at a bigger picture, trying to be somewhat more strategic and may not be agile enough to keep up with it. So there's relevant stuff that comes to you, but it's a much more operationally critical set of information for just maintaining your shop. Right. There are all kinds of targeted assessments that I think are the building blocks of a risk management program. So, you know, as you do more targeted assessments of systems, of lines of business, whatever it may be, you begin to build these inventories of specific risk problems that you notice in multiple areas. And that gives you this ability to roll up to better understand where your control deficiencies are and where they're most common organizationally. But there's all sorts of assessments like that. Right. There are assessments that your own team may be doing. There are assessments that others within your department may be doing. And there's internal audit. There are, you've mentioned, you've done third party pen tests for others. You know, I think the problem is not: what do you want to use? It's that there's so much available to you that we're all kind of overwhelmed with the amount of it. And what do we do with this all? And I think the key is to figure out what to you, right now, not two years from now, because you're building something cool, right now, what is risk relevant information to you? And how do you build a risk framework that allows you to normalize that against your inventory of controls, threats, vulnerabilities? How do you take that and do something with it? And you have to fight the urge, I fight the urge all the time, to say I want it all because I've got these great ideas, and it may be three years until any of those ideas are executed. So what can you start with now? And maybe you start with your one, your annual HIPAA security risk assessment, if that's where you're on the maturity curve. Don't try to boil the ocean. Start there. But eventually, you'll begin to see that all that has value, it's just a matter of figuring out what's more valuable than others. And how do you normalize all of it into one big pot? One big framework, if you will, to actually make sense of it?

Brian Selfridge: [00:14:09] There's a bit of a debate in the industry around: do you track risk information down to the asset level and know that we've got, you know, hundreds of thousands of X, Y, Z assets and here's where they are and here's every bit of risk data we can. You mentioned you want to know as much as you can about your program, the risk that are out there. On your scale, we're talking about sort of that whole idea of how you blow this up to a larger picture. Can you even manage asset level tracking? Is that  useful for you or do you need to sample or how do you just handle such a large volume of assets and trying to figure out how to secure them on the aggregate?

Britton Burton: [00:14:47] Yeah, I think asset level risk tracking is just not feasible at our size, maybe for small organizations either. It depends on how small you are. If you're one physician's practice, you might be able to do it right. But any system of almost any size, I do not believe, even if it were feasible, that it would be time well spent. I think there are certainly things you can do on every single asset. We've already talked about vulnerability scanning. Obviously, you should be scanning anything that touches your network. And while that's not true risk management, that is that operational, we're at least watching our, you know, our potentially many front doors. But that alone, you know, that doesn't give you asset level risk management or asset level risk tracking. So I think what is feasible is setting control baselines for asset classes. Right. So in general, everything on the network will be scan, all asset classes, every workstation hard drive will be encrypted because they're more likely to leave than a server in a data center. Every USB, right, can be blocked on every workstation. Maybe every server is in a lockdown physical environment, and not under a desk, you know, in an imaging room. Every mobile device will have MVM on it.

Britton Burton: [00:16:10] I think there are certain things like that, more control baselines for asset classes that you want to try to stand up and try to, you know, report against and audit against and all of those things. But in general, you're gonna have to sample. You're gonna have to look at: Are we meeting certain baselines on the whole? What percentages of our of our asset classes are meeting these baselines? And what's a risk threshold that we're comfortable with? Because you're probably never gonna get to 100 percent. And when you can get into some asset level risk, tracking risk management is, I think, your most critical assets or groups of assets. We've talked about AHR already. That's, probably for any healthcare organization, going to be one of those most critical crown jewels. Maybe you can get into some much more granular asset level risk tracking for that because that can't get compromised. But your H.R. application or, you know, name something else that you just don't deem as critical as certain systems. I'm not sure it's worth the time and energy, you know, investing and how much. What level of asset level tracking you do on that.

Brian Selfridge: [00:17:22] Since we can't get to it all, at least at an asset by asset level, how do you get that comfort level that you know I've got good enough coverage. I got a pretty good idea of what's out there, prioritized. Is there any recommendations you have on just how to feel like you can sleep better at night than I at least have a pretty good idea what's out there living. We're living with the risk, like you said, that the organization sets. But any sense of how you get to that comfort level coverage?

Britton Burton: [00:17:47] Yeah, I think I think you retire. That's how you feel comfortable that you've done everything and you can actually really sleep at night. I don't know if I'll ever feel like we are truly looking everywhere because there's always that edge case. Or you read that article last week. Oh, man. We have a problem. If we thought about that. Right. But I think what you can try to do and what we are trying to do, what I'm trying to do to keep myself sane is at least I can divide the environment into categorical assets that we have and define to what level your risk blind versus risk aware.

Britton Burton: [00:18:29] So risk blind is a term that I use a lot. I don't think it's really an industry term, but I think it's also fairly self evident. How much do we know that we don't know is essentially risk blind. And can we put criteria or quantify that in any way? You know, these categorical assets, servers, workstations, mobile cloud applications, databases, third party, medical device, whatever you can think of. Can you put any kind of quantification on: I am risk aware to this degree and I am risk blind to this degree. And then every single day is just an opportunity to try to change the ratio weighted more towards being risk aware versus risk blind. And there's probably gonna be some new categorical thing that comes up that you go, wow I've never thought of that. And you may start off at zero percent risk aware, a 100 percent risk blind, but now you're aware and you can begin to talk to other leaders in your organization and other folks on your team. How can we be less risk blind here? How can we be more risk aware here and take steps towards that? And as long as you're always improving, always making it better, then I think that's the only way you can sleep at night. And if you're aware, you know, if you have visibility into the fact that you are risk blind, but you're working on not being as risk blind, and I think that goes a long way towards, you know, a peaceful mind when you leave the office for the day.

Brian Selfridge: [00:20:00] This reminds me of the old secretary of state, Donald Rumsfeld. We've got the known knowns and the known unknowns. And I think there's another category that he would say. Your version was much more understandable than that. So let's say you've got a handle, as good as you can, on where the assets are. You've got your risk aware of some percentage of the assets, hopefully most of them. How do you start to begin prioritization around what to chip away at first? I presume the bucket is so large that you could you could spend billions of dollars on remediation and never quite even get it all. What are some of the criteria, some ways that you think about prioritization, when you think about what to tackle first for a remediation standpoint?

Britton Burton: [00:20:43] So it's not easy, right? It's one of the biggest challenges we have. Any system of scale, I think, is going to have that challenge. And, you know, everyone always says, well, you make a risk based decision. But what the heck does that mean? It's different to everyone. Of course, that's what we want to do. But how do you actually do that? And it's as simple as it sounds. It's not easy to answer. So I think this is another maturity curve thing, right? If you're standing this up for the first time and you know, you've really just done the minimum to get by in the past from a compliance standpoint, the first the most obvious way to prioritize key systems, areas of focus, probably is what's in the cross-hairs from a regulatory enforcement standpoint. I don't ever like to lead with that because I think it can only get you so far. But it is also a great first step. If you are lost in the wilderness trying to figure out where to start. Obviously with EHRs, you know, you don't have a choice. Because promoting interoperability requirements are there and require you to do certain things every year. The problem with starting there is so many of us have gotten stuck on only focusing on that or on only spending our energy on meeting those baseline compliance obligations because they're not simple to do that you don't move beyond that. So if you're beyond, OK, we've at least got that part down.

Britton Burton: [00:22:06] I think what you've really got to do is do a better job of tying assessments to company processes, so that you can use that as a differentiator for prioritization and identifying and fixing risk issues. You know, every system you come across is going to come with vulnerabilities and control deficiencies. But if that system isn't a part of a critical piece of operating your business or providing care, which is our business, right, then should we be focused on it? Maybe not or at least maybe not as focused. You know, there are a lot of other critical systems for a healthcare organization than just EHR. So you're starting point, may be, we know we've got to do the EHR because we don't have a choice. But when you're talking about operating modern healthcare and the supply chain and everything else that goes along with it, there's a whole lot of other critical, critical systems that allow you to operate not just effectively or efficiently, but to operate at all. And so tying two business processes is really important.

[00:23:10] I think, you know, on the remediation side, we're trying to do a better job of trending common problem areas. So when you do this at scale and when you have hundreds of audits and assessments of individual systems or individual processes going on throughout the course of the year, you're probably going to find common problem areas. So take, for example, you discover you have some sort of access authorization issue in a few different system audits, even if some of those are not maybe your most critical systems, it's probably indicative that you have a more pervasive problem across the environment. Right. So how do you try to address that problem globally? Essentially, how wide reaching is your remediation? And if it's more wide reaching, perhaps it it takes a higher priority. And, you know, there's no one size fits all. I think some of the things that I've talked about are ways you can try to do it, obviously making your decisions risk based, whatever we mean by that. But tying criteria to it, trying to make it scientific in some way are other ways to do it. And at the end of the day, the most important thing is just do it, find a way to not get paralysis analysis, pick some priorities and go. And sometimes you just have to do it that way.

Brian Selfridge: [00:24:23] You mentioned the volume of assessments and audits that you have to just get through and find those commonalities and doing that correlation. Are there any recommendations you have on efficiencies, either process efficiencies or automation or things that can help organizations do that more effectively at scale, as opposed to maybe smaller organizations? You have your one assessment, okay, that's it, you work the plan. But any ways to get efficient on the large scale, either assessing or just correlating all that data in some meaningful way?

Britton Burton: [00:24:54] Yeah, I think the main answer is you've got to get your your risk framework down in place. Figure out how things plug in. I already referenced it a little bit, but if you can create a framework where you know how to plug in risk relevant information, no matter where it comes from, it could be an internal assessment, third party, whatever it is. Right. How do you consume that risk relevant information in a way that is consistent? How do you bump it up against your threat, vulnerability and control environments and doing that so that no matter what the output is, even if the output is inconsistent, you have a consistent way to process it, to normalize it and to interpret it into your risk environment. That is also way easier said than done. Right. But if you don't have this, another term you'll hear me say a lot is: I want to create structure and science. Right. So the structure is, I know where to plug all these different findings and these different results of assessments, and I know where to put them. And the science is I know what to do with them once I put them somewhere. Right. So building that ability to consistently create consistent output based off of what is probably going to be inconsistent input is really important. You know, there are tools like GRC and IRM platforms that you probably have to embrace not living in spreadsheets. I think everyone knows that. But, you know, you don't just snap your fingers and have this amazing, IRM platform that's got it all mapped and figured out for you. But I think that's where you have to start, because if you don't have that consistent framework, that consistent approach to do something with all of that risk relevant information that we've talked about, then you're just gonna be constantly overwhelmed and you're just gonna kind of go from one fire to the next.

Britton Burton: [00:26:43] When you're collating all this information, so let's say you've figured out all your assets, you've got your assessments in, you've correlated, you know where the fires are, where you think the priority areas are. How distill that down into something tangible that the business, from a leadership perspective, can make actual risk decisions around? Are there maybe a handful of key metrics or KPIs or pieces information that you serve up to help the organization make those decisions they need to around risk? If so, what are some of the nuggets that you serve up, as opposed to dropping the entire database on them? Ok, here's all the risks, so what do you want to do?

Britton Burton: [00:27:25] Right. It's really hard to avoid that. Right, because you have all this risk information, and you're just like, here, let me vomit this on you. So I think basically the key that I am trying to do in my role is make risk visible to my leadership. So the risk is such a nebulous concept to so many people. And you ask 10 different people what they mean by risk and you'll have 10 different answers. Right. So if you can't make it tangible to people, especially people who don't speak security, right, then it will either be lightly regarded or not regarded at all, which is probably worse. So I think rolling up and grouping is key. You know, business leaders may not understand a threat vulnerability pairing, and they're probably not going to stand a lot of our controls, especially more technical controls. But they do understand concepts like data breach, interruption of operations, harm to a patient, you know, material compliance failure. They also understand key areas that can be grouped into light risks. And I think, you know, the new cybersecurity framework does a great job of that. Identify, protect, detect, respond, recover are the five core functions. And then you have a bunch of categories underneath that that I think are more of human translatable.

Britton Burton: [00:28:46] And then there are also groups, areas, that just people understand because we live in a modern technological world. So shadow I.T., advance threat, medical device, Internet of Things, insider threat, aging I.T. systems, third party risk. You know, these are concepts that probably make sense to some level to people in your organization. And I think the more you can group and try to sort of all add a layer of abstraction to all the fine grained detail that we talk about with threats and vulnerabilities and controls and effectiveness and maturity, then you can roll that up into something more meaningful. And really, the key is just to try to figure out what resonates with your business leaders. And it may be that all of that resonates and you've got to pick the right thing or everything I just went through, none of it resonates. And you got to find something else, but find something that may not be out of the textbook for risk management or security, but contextualizes it in a way that that leader goes, I understand you're talking about, now are we red or are we green? Right. And how can you make that is as plain and obvious to that person as possible?

Brian Selfridge: [00:30:01] It is super complicated. I always love that discussion because we have all of our jargon, like every other industry. Our jargon is some of the all time most wacky jargon to try to figure out if you're not in the field. And I'm glad people are catching up to it. But I like the creative analogies that our field has had to come up with to figure out, you know, there's the whole we're protecting the house and the doors and windows need to be shut and locked. Do you have any go to analogies  that you find that that resonate more than others or just stylistically seem to work?

Britton Burton: [00:30:32] Yeah, we've got a few. The layers of security thing is the classic, right? You've got the locked door, the ring camera, the monitored security alarm, the German shepherd, the locked safe, all those things. One of the ways we do some of our user awareness training is we call it: be the hero. And the idea is that, you know, any employee, whether you work in security or even I.T. or you're a frontline caregiver, you have the ability to report suspicious activity, not click on strange emails, make sure you login to your VPN when you're at the coffee shop, you know those types of things. We use the crown jewels analogy for our most critical assets, which I think is a pretty common thing. A lot of companies now, human hygiene and security hygiene, are really easy to equate to each other, especially in a healthcare company. But, you know, the foundational blocking and tackling that usually winds up being the reason that most of these major security events happen. Patching configuration management, you know, making that akin to brushing your teeth and taking your shower, you know, the stuff that you just know you have to do to be a functioning member of society. The keys to the kingdom is another one we've used with I.T. admin types who can have unchecked access to the environment at large and are we paying more attention to them, are we training them or are they aware of how broadly they can access the environment? There are several things like that that we've used to try to do not speak security, but make something translatable to normal people.

Brian Selfridge: [00:32:05] I've got one I'm working on. I want to bounce it off you. So it's a little too soon to use it, given the context. But I think there's a corona virus risk analogy somewhere. Like how much risk are you willing to take, are you willing to walk out with or without a mask on? And what does that mean? Are you willing to shake hands with other people, is that necessary? That's a nice thing to do. It's good social interaction. Is it necessary? And where are your trade-offs? I think everybody's making all kinds of risk decisions right now. And I'm hoping we can start having people think about that's risk management, your trade-offs. You might get it any way, even though you're doing all the right stuff. Someone might sneeze in your eyes. I got to figure out, and I've got to work on that. I'll enlist you to help me with that as this plays out.

Britton Burton: [00:32:49] Yeah. There's something there, you know, risk tolerance is such a difficult thing to define in a lot of organizations. But you could make the comparison between, you know, the risk tolerance of someone who works in a hospital or in a meatpacking plant versus someone who has a white collar job and can work from home. We probably have different calculations we're doing to decide are we going to get up and go into the to the quote on quote office today? There's something there. Yeah.

Brian Selfridge: [00:33:15] Yeah. Or the folks that are out on the beach this weekend and places that have quarantines in place, very different risk tolerance. Do you want to be the guy on the beach or do you want to be the one, you know, taking reasonable precautions? Up to you, your business, you choose. So how do you how do you get to that point where that risk decision is owned? Not only understood, so, yeah, putting data up and saying this is where we are, and we're trying to prioritize, but where you can get the business to actually get that ownership, and maybe they have it already. Do you have any ways that you empower the business to make decisions on the risk versus information security risk management, just doing the best we can?

Britton Burton: [00:33:55] Yeah, it's a constant battle. I mean, it's another one of those things that I can't say we're perfect at this by any means. But just again, trying to make constant progress towards a desired outcome. Right. So it's really critical. I mean, in our profession, we tend to do risk assessment in a vacuum. And it makes it really, really hard to get anywhere with remediation, with fixing risk. Right. Because the business has very little knowledge of what we're doing or why it matters. So another term that I use a lot is the concept of business value creation. It really goes back to what I said earlier about tying, you know, assessments to business processes and not just an IT system. So ultimately, I believe that the owner of any business process also owns the value creation that that process provides for the company. That value creation can be financial, can be, you know, quality of care, can be operational excellence, can be any number of things. But most business processes exist to create value for the company. I'm sure there are some that exist because that's what we've always done it, right. But even those probably have some level of value creation. But those processes also introduce risk. And those process owners, I believe, own the risk that that process introduces to the company.

Britton Burton: [00:35:13] Of course, usually, processes are supported by some type of I.T. system, and I.T. systems inherently introduce risk. So that's the way I try to trace things together and communicate. You know, our job is managing risk, but we do not own risk. We are trusted advisers. We are accountable to do something about risk, but ultimately, you know, that business owner, those different business owners who own processes, who own value creation and reap the rewards of value creation of process, also own the risk associated with it. But that's a massive culture change. Right? And a mindshift for so many people because business folks assume that the information security team has its security problems under control. That's a technical thing. You know, we're going back to the legacy of security was that's what it was. And as much as it has matured, and you read an article every day about the board now cares about security. There's a difference between that, I think that is absolutely true, the board, the CEO, all those types of people care about security, but when it comes to understanding, you know, tactically on a day to day basis, that the decisions they make about creating value also create risk and they own both. That's a whole different ballgame.

Britton Burton: [00:36:27] Though, I believe you always have both. Well, either none or both. You either don't have value and don't have risk or you have value and you have risk, but you're probably not going to have one or the other. And it's just about communicating that. You know, I don't think there's a magic bullet to change this mindset. We're better now as an industry than we were a decade ago. Oddly enough, ransomware is probably the number one reason that we're getting the attention and the buy in that we're getting. But it's really just a grassroots communication effort and meeting with the right people and making risk visible through some of the things we've already talked about to those people to help them understand the concept of risk ownership and why they should care. Right. If the process that they know creates X amount of revenue or increases patient satisfaction scores by X could be at risk because of security, then they're probably gonna care about security more. Right. So you just got to try to bridge that cognitive gap that I think exists. And again, not easy. It's kind of a one by one person thing. You win the hearts and minds of people. But that's the way that I think it can be done, if you're having trouble getting that buy in, that care about what you're doing.

Brian Selfridge: [00:37:45] Well, let's talk about those relationships a little bit. I think in some organizations, small, mid-sized organizations, you build key relationships, you have the conversations, and that trust builds over time. How in the world do you do that at scale when you've got the number of facilities, number locations and just the sheer volume of people in your life to win the hearts and minds? What are some ways that you still move the program forward, unless you're out, you know, being a politician and you're on the road all the time, kissing babies, shaking hands. So I guess the social distancing equivalent of that in the future. But how do you build those relationships at scale?

Britton Burton: [00:38:24] Yes, so I've got 4 big tips here, but I'm actually going to start off with, I won't use the word politician because that has a negative connotation, but I do think, as a person who leads a risk function within security, you are not the technical bits and bytes guy. Usually your job is to engage business and people who do not speak what most security professionals speak. So, you know, I never miss the opportunity to engage with a leader that I figure out has some sort of relational value to me, whether that's, you know, a happy hour that people are going to, some day will do that again or, you know, a meet and greet of a new employee or just pulling someone aside who you've heard their name and you're in a meeting with them. You're like, oh my goodness, that's Joe, I've been wanting to talk to him. I can get two minutes with him and introduce myself. Right. Finding reasons to get face time, I think is important. That's what I mean by grass roots relationship building and just being willing to step out of the IT closet and go say hi, here's what I do and I'd like to talk to you. Can I get some time with you and your leadership team? But the real tips that I'll give that I'm working on myself, you know, is to find those right people. Right. So there's four different ways that I think you can find those right people. The stock answer to your question is we've got engaged senior leadership. Right. And that's another one of those, what the heck does that mean? And, you know, depending on the size of your organization, senior leadership could be hundreds of people, maybe even more.

Britton Burton: [00:40:00] So I think there's four different ways you can slice this. One is find a senior leader who actually has some kind of interest in this topic. Whether it's specifically cybersecurity, that's maybe not always super easy, but risk management in general. I think no matter what line of business you're in, you have senior level leaders who understand the concept of risk management and care about it. And you may be able to engage them, and they might be more inclined to champion your work because they're like minded with you. So find that person, right. Number two, see if you can get a list of all the different committees that your company already has, and if any of them have any kind of mission statement that's close to what you're wanting. It's a lot easier to slightly expand the existing scope of a committee than it is to try to stand up something new, because no one wants one more meeting, one more committee. Third thing, you know, if your company has an enterprise risk management function or team, find ways to partner with them. You may not even be really sure how you fit together with them right now. But the one thing that those people definitely have is access to key leaders. Business leaders understand the concept of enterprise risk management and all the things that come along with it. They just may not be aware that cybersecurity is that level of enterprise, an issue that is tackled can be tackled through enterprise risk management.

Britton Burton: [00:41:25] They may not equate that cyber is another side of the risk management coin, but it's your job to make them understand. And if you get that relationship with your enterprise risk management folks, that's just a bridge to access to more leaders that you may not have otherwise. And the final one is maybe the simplest one. Leverage your CISO. Right. I believe relationship building with other high-level leaders is a mandatory part of his or her job. Right, so if CISO is good at what they do, and they're respected in the organization, they can send an invite to any senior leader in the company and that person will join the meeting. There are maybe situations, where it's challenging, there's relationships, someone doesn't understand it, doesn't get it. But for the most part, if that CISO is good and they spend time developing relationships, then people will respond and you can say, hey, I would love to get the chance to talk to this person. Could we find a reason to get in a room with them? The key with all of this is to make sure that you've got something valuable to say when you get the attention of those folks. You cannot waste their time. They are senior level leaders for a reason. Or make it seem like you're just wanting to shake hands and get that face time. But if you come to that meeting with a specific purpose and a desired outcome, I think you can really just begin building relationships through some of those ways I mentioned that will be really, really valuable to you down the road.

Brian Selfridge: [00:42:49] So I've got one last question for you, and it's a bit unfair to put in the last question format, but we've talked about risk management, we've talked about all those topics of sort of avoiding the breaches and how to prioritize and all that stuff. I want to talk about compliance just for one moment here and especially at scale. Are there techniques that work or don't work when you're trying to figure out how to check the HIPAA boxes and PCI boxes and other sort of typical compliance areas, state compliance? Do you have any recommendations on what works or doesn't work at scale when organizations are trying to make sure that they're jumping through the appropriate hoops, at the same time, managing risk in a prioritized, effective way?

Britton Burton: [00:43:31] Yeah, I think the short answer to that is to spend time doing the detailed legwork that it takes to tie every control standard, every actual control implementation in your environment to the authoritative sources that are driving that control. This is not simple, not quick. It's not glamorous work. But the more you can, you know, make that just a foundational piece of your program through your controls framework, the easier it becomes to report on compliance requirements. And you can still focus on the big picture of we care about risk at the end of the day, not compliance. Well, of course we care about compliance, but our main focus is risk. But as we have all this mapping inherent to do, we do this control and this performing this well, mitigating this threat and this vulnerability. If we know that that control exists because it's tied to a HIPAA requirement or a PCI requirement or whatever it is, it's just a lot easier to report on that. Again, that's difficult work. You don't just snap your fingers and you've got it. But that's in the wheelhouse of GRC and IRM platforms. Right. So how do you leverage those tools to try to make that reporting as seamless and as quick as possible, but still have to be a part of your bigger picture risk framework, making risk visible to your leadership? I think you can have it both ways. You just got to build the foundation, and that can take a very long time.

Brian Selfridge: [00:45:01] Great. So we can have our cake and eat it, too. We just can't share it with anybody outside of our immediate household at the moment. Well, Britton, this has been fantastic. I could talk for days and days with you for sure. And I appreciate the insight you shared with our audience. But I will let you get back to the good work of helping the healthcare system do what it needs to do. So I'd like to thank my guest, Britton Burton, who's the director of Risk Management Information, Protection and Security for HCA Healthcare. Britton, thank you so much for joining us. This has been great.

Britton Burton: [00:45:30] No problem. Thanks so much for having me. I really enjoyed it.

Brian Selfridge: [00:45:41] Again, I would like to thank my guest, Britton Burton, for an enlightening discussion on managing enterprise security risk at scale. Britton shared some awesome nuggets of information that I'm certain can be applied immediately to mid to large size healthcare security and risk programs. We even identified some new Corona related analogies that you can take home with you and figure out how to help support your information, risk decisions.

Brian Selfridge: [00:46:01] As always, we would like to have your feedback and hear from you, our listeners. Feel free to drop us a note about what topic you'd like to hear about or thought leader you'd like to hear from. Our email address is [email protected] That's C.Y.B.E.R.P.H.I.X @meditologyservices.com. Thanks again for joining us for this episode of the CyberPHIx. We look forward to having you join us for the next session coming up soon.