Passion for Security: The Future of Healthcare’s Workforce, Technologies and Regulations

PODCAST TRANSCRIPT

Brian Selfridge: [00:00:09] Welcome to CyberPHIx, the audio resource for information security, privacy and governance, specifically for the healthcare industry. I'm your host, Brian Selfridge. In each episode, we will be bringing you pertinent information from thought leaders and healthcare information, security, and privacy. In this episode, we will be speaking to Joey Johnson. Joey is the Chief Information Security Officer for Premise Health and is also an active leader in a variety of information security forums and industry organizations. Joey is a passionate CISO and security evangelist and we are excited to have the chance to speak with him today on a variety of topics ranging from the cybersecurity workforce, security automation trends and tools, and regulatory shifts and much more. We would also like to hear from you as well. If you have a specific topic or thought leader that you would like to hear from, just drop us a note at [email protected]. That's [email protected]. Now let's get to our interview. 

Brian Selfridge: [00:01:10] Hello, this is Brian Selfridge, host of the CyberPHIx, the industry's leading podcast for information security and privacy, specifically for the healthcare industry. I'd like to welcome my guest, Joey Johnson, today, who is the Chief Information Security Officer for Premise Health. Premise Health is an industry-leading direct healthcare company that provides access through onsite and near site health centers and 24/7 virtual health to help people get to stay and be well. So that's an important mission. Joey, thank you so much for taking the time to join us today. We're really excited to get an opportunity to hear from you in all the years you've had in this field. Thanks so much for coming on. 

Joey Johnson: [00:01:47] Absolutely, Brian. It's a pleasure. Thanks for having me. 

Brian Selfridge: [00:01:50] Joey, one of the things that we've seen a lot of our colleagues struggle with these last few years is around a general shortage in cybersecurity skilled resources out there, folks that have the right, either industry background, whether it's healthcare setting or just core cybersecurity skills, and trying to get that sort of next generation of cyber warriors lined up. Is this something you've seen as well? Have you had to deal with this in your own time, and what are some of the ways you kind of have been able to build a pipeline of resources, given the relative lack of available talent out there in the marketplace? 

Joey Johnson: [00:02:31] Yeah, definitely, I mean, it's a real thing. I've seen it, and it's taken us a while to get our team here at Premise Health together. I think that our approach to this has really been, I've stayed with what drove me into the industry to begin with, and I think that that's what keeps and holds people's interests that are into it now. Even though there is a shortage of available people to fill the jobs, we'll probably touch on this throughout the podcast, but my belief is we don't have a talent deficiency. We may have a skill deficiency, but we don't have a talent deficiency. The talent is out there, because if we look at where this industry was 15 years ago, 20 years ago now, almost when I got into it, there was no formal training around this. Everybody was self trained. And they got into this because they had a passion about it. And it was something that wasn't a career and it turned into one. And those people are still out there. And so what we've done is kind of taken a dual pronged approach. One is we found that what brings people in and helps them stay here is that they want to be part of something. They want to hear the name of the organization they're going to and say, man, I hear good things about that. I know that they're doing cool stuff. I'm not just going to go there and get pigeonholed. Right. I'm not going to be the AV person or the the firewall guy or the GRC girl or whatever it is. Right. They want to come and spread their wings and kind of explore what it is. And what we really try to do is focus with our workforce on helping them not just do their job as a security and privacy professional, but really help give them visibility to how the job they're doing is changing the business, is driving the business, instead of hindering it, and trying to always make sure that we are really on the bleeding edge, working on really cool projects and giving people the opportunity to come in and kind of really get into what interests in what piques their curiosity. And it's working, right? I mean, today we have a really, really low attrition rate on the security team because they're here. And that's kind of like a force multiplier, right? Once they come in and they see what it's about, they don't want to leave. And that attracts more passionate people and that just kind of has a cumulative effect. So that's really been our approach around it. 

Brian Selfridge: [00:04:44] That's great. What are some of your sources for the talent that you are bringing in? Is it mostly referrals? Like you've got a great team, and they find people and say, well, you love your job. What can I do to work with you? Is it more of that sort of model, or are you digging into universities, or do you pull from experience, talent? Where are you sort of pulling those folks from? 

Joey Johnson: [00:05:05] Well, I'm an equal opportunity talent sourcer, but I will say, for the job racks that go up that we formally post for, a lot of times it is word of mouth. A lot of the folks on my staff are either involved in one fashion or another in the conference circuit, either they're supporting it or they're doing talks at conferences or holding sites or doing things like that. And they are kind of passionate, and they're front and center in whatever their chosen arena is. And when roles come up, those are usually the first ones to go pulling people. They say, hey, I actually know somebody who'd be great for this. Let's see if we can get them. And we just kind of hold informal conversations. I think normally when we talk to candidates, the first thing we do is just feel them out, see if their a cultural fit, see if they got the passion that we need and the rest kind of goes from there. We do get some candidates that we pull informally from Rex. It's very, very infrequent that we would have to use a recruiter, not because they don't produce good candidates, but just usually we've had candidates come to us before that's had to occur. 

Brian Selfridge: [00:06:12] What are some of the skill sets that you look for predominantly? So obviously the passion is a big piece of that, and you want folks that are motivated and sort of that cultural fit and all that good stuff. But are there specific skill sets that you think you sort of go after if you are doing that open requisition and you're taking in resumes, that you're really looking for that top one or two skill sets? What would those be, or is it dependent on your given situation and the need you're trying to fill? 

Joey Johnson: [00:06:42] Well, yeah. So to a degree, obviously, it's going to depend on the role we're trying to fill. I mean, we're going to be looking for a different skill set, outlook and mentality from a red team pin tester. Then I'm going to be looking for from an IAM engineer, then I'm going to be looking for from somebody on my GRC team. But obviously, as just said, passion is first. And I'm less looking for expertise on a certain skill set or technology. Right. I want to know that they have the underlying fundamentals to come in and pick up and do something new, because it's a really fast moving industry and the skills you needed today are not the skills you need tomorrow. So I'm looking on the technology side, I'm looking for some baseline fundamentals, right. Everything's going towards automation these days. And certainly I need people who are going to be able to script. They've got to have some kind of capability to at least understand coding on a fundamental level. They've got to understand TCP/IP networking on a fundamental level. The baseline things are what I want them to understand. Because I can teach anybody a tool, right? It's just a UI with some logic behind it that a vendor has created and they're great. But I don't need somebody focused on saying, hey, I know this one tool really well. It's the same thing if you flip the coin to the GRC side of the house, which sometimes in our world is less hands on technical. But I need to understand that they know how to look at the world and evaluate risk. Right. Because the whole thing is not about shutting down every risk. It's about empowering your business to move at the highest risk level possible without experiencing the casualties effectively. And they need to know how to have a practical mind to be able to analyze that and really come to a consensus about what risk is rational and what risk is real and understand what the business is really trying to do and get done and be able to kind of provide solutions and approaches and strategies that are going to going to marry nicely with that. And so I really look a lot at the way that they think and process the world. 

Brian Selfridge: [00:08:41] So how important are the soft skills side of things? You've got the technical skills for sure, and TCP/IP networking stuff, and you've got your risk management sort of lens skills. How about the sort of interpersonal relationship building stuff? Are you looking to sort of build future leaders when you bring somebody in, somebody who's going to be that CISO of the future that can do everything, that can know the technical and interface with stakeholders? How important at the entry level, or when you're hiring maybe entry level or second level up, are those soft skills at that stage? Or is that just something that you sort of deal with later down the line? 

Joey Johnson: [00:09:18] Yeah, I mean, again, it depends on the role. There are some personalities in job roles that they really aren't ever going to want interpersonal, interaction, or communication, and their job role may not require that. A lot of times when you look at some of the threat hunting teams or the pin testers, I mean that's a very specific kind of mindset. And those candidates are cut from a different kind of cloth. But even with those folks, a lot of them come from consulting gigs, and they're tired of being a hired gun that gets to do a test and never get to see the fruits of their action if it created any change in the organization. So even with those type of candidates, they want to see the outcome of what they've done. They want to see that it has some effect, and that requires developing those soft skills to have the conversations with those audiences. In all of my roles on my team, that premise culture is really, really important to us. And so you have to be able to fit in the culture. But I have found that for a security program to be really effective, it's got to be effective beyond that personnel that are reporting up to the security function. It's the oldest adage in the book and very cliche to say security is everyone's job. But I think in today's day and age, people have an acute understanding of the kind of IT security. They deal with this in their daily lives. They have multifactor authentication set up on their personal bank accounts and things. So people have an understanding today. And what they need is somebody to help them understand what the guardrails are. I see our function more as being a trusted adviser to the organization. When they come to say, hey Joe, we want to do this thing, what's the right way to do it? We want to do it, and we want to do it right. And you have to empower people in your team who can articulate that message appropriately. So I really do think the soft skills are very important. And I push a lot in the industry to really get folks, get colleagues to look at that and take accounting for that because I think it's critical. 

Brian Selfridge: [00:11:23] It's funny you say that. I think it's definitely been a shift that you look at 10, 15 years ago, when those of us in these roles were sort of just trying to educate about why this stuff's important. That's certainly the flip the script. Now, it's like they come to us and say, how do we fix it? How we do it right? It's a different problem to solve, a better problem to solve than maybe it was a couple of decades ago. Now, Joey, I believe you've done some work with universities, and you've got a lot of extracurricular experience sort of outside of the immediate organization. What do you see in coming out of the sort of academic side of things? Are universities producing the right types of resources coming out of school to meet some of these emerging cyber roles? Are they hitting the mark, are they missing the mark? Do you have any perspective on the academic side of things? 

Joey Johnson: [00:12:11] Well, certainly we need the academic side of the equation to help in producing some of the talent we need out there. I think it's a mixed bag, like anything. School is all about theory. And in theory, theory and practice are the same thing. But in practice, theory and practice are not the same thing. And we all learn that with some experience. So I think like anything else, there's a little bit of rationalization we have to do in evaluating that skill set. It's interesting to me seeing somebody come out of school with a degree in infosec or privacy or cyber law or anything like that. It is a piece of the equation to me. But it's not necessarily always a differentiator. Again, I look back to where we all kind of came from years ago. Those of us who are in the industry and have been for a long time, and there was no dedicated discipline. You had to go out and learn everything that you learned on your own because you are passionate about it. There were no CEH courses. There were no degrees around it. There was none of that stuff. And so I think people still have the capability to learn that. And so I would not discount somebody because they don't come out of school with that. Now, I do think that it's really come a long way. I'd say in the past six or seven years, I think that the schools are really starting to put together some very good curriculum. The ones that are more effective at it, I think, are finding innovative ways to make sure that people are getting the appropriate real-world exposure, real-world hands-on skills. They're putting them through things that are going to kind of test their knowledge in a different way, right? The way that you test your ability to kind of produce in this market is not necessarily because you pass the test well. So I am encouraged by what I've seen. I mean, I think there's certainly a long way to go, but as long as we have so many jobs open, the schools are going to be pumping out candidates to fill them. 

Brian Selfridge: [00:14:07] I'd like to switch gears with you a little bit from the people side of things and over to the technology side of things, as people process technology, we'll talk about all three today. Let's talk about the tech a little bit. It seems to me, and you can agree or disagree with this, that the security automation technology space has sort of been on this ramp of a sprawl upwards over the last several years of the sort of volume of products that are on the market, the niche products, the broad products, the portfolio products are just coming out every day. And there's a lot of really cool stuff out there for sure. How do you make sense of that sea of available security solutions and products and technologies and figuring out which ones with limited time, budget and resources are the right fit for you, for the organization, for this point in time and also maybe for the future? How do you go about just even beginning to tackle that problem? 

Joey Johnson: [00:15:06] We could talk about this for a while. And in fact, there's an industry talk that I do sometimes, in fact, it's for CIO audiences. And it's called "How to call BS on your CISO." And the whole gist of the conversation is really getting down to the heart of that question. Obviously, there is just this tsunami of solutions that are coming out. And anybody that's been to a black hat or an RSA, all these other hmns or something have seen these massive florists of all these vendors. And I walk through there sometimes, I try to avoid it at this point, but I get caught walking through there and I'm always thinking, look at all these booths, look at all this investor money. A lot of this is just going to go to waste. Half of these companies won't be here next year. They're going to get commoditized. They're going to get absorbed into something larger. At the end of the day, the funny thing is that there's a lot of fuzz out there, but some of the needs that have to be addressed by an organization are real. And you can only split your dollars so many ways and you've got to figure out what you're going to do with that. And the tactic that I've always kind of taken to folks and like I said to CIOs to challenge their CISOs is let's take a vendor solution out of the question for a second. And let's talk about your readiness. Are you strategically ready? Are you tactically ready? Are you at the maturity readiness point to even begin having this conversation? Right, if you're not doing fundamental hygiene 101, but you can through a fifty-point solution at it, and you're still not going to reduce your risk that tangibly. And you can solve that security hygiene issue without going and buying a solution. Right. And you can get a lot of ground. And you can win a lot of favor with your organization by reducing that risk natively. And the other thing to remember is that strategically when I talk about strategic readiness, I mean like every product to the program, every single thing, you bring in house, somebody's going to run that right. And I always like the Great Wall of China analogy. If you look at the Great Wall of China, it's huge. It sprawls very far. But as you get out into the Gobi Desert, it's falling apart. And the reason is because you can only implement so many things. You can only wrap your arms so far around the world and security solutions are the same way. You can only implement so many of them before you hit resource exhaustion. And I think most organizations could look today at some technology they brought in because they needed to have it. 

Joey Johnson: [00:17:23] Security Guard was.  By God, we need this, and we got to bring it in. And you know what, it sat there and collected dust for a while. I can't tell you how many organizations I've seen say, hey, we've got to get a SIM, but they hadn't yet even solved how do I get all logs to one place yet? Before you spend a bunch of money on a SIM, just make sure you can get your logs to one place. Right. And so there's stuff like that with a tactical readiness that matters too. Or like if you're going to bring in some tools or something to address some security initiative, you're going to bring in like a Mac or something. Well, you've got to take account for the fact that security is awful about creating initiatives and bringing in things and not really realizing that 80 percent of the work that they need to get that job done, they're going to look back to their I.T. or their infrastructure, or their applications team and say, hey, we got this thing, and now everybody's got to jump in and do a little work to get this done. And that wasn't on their radar. That wasn't on their priority stack. So there's a lot of things before you even address a solution. But if you can get through the strategic readiness and the tactical readiness of knowing who's going to take this thing on and drive it, and you can start to look at the questions of are we actually ready? Just because you can do a thing, doesn't mean you should. And if you are solving already the network hygiene things, and if you optimize the things that you have and you've made the determination that you need this technology or this skill set in-house, you might be at the point to go start evaluating that. One thing that I always challenge my teams with is they come to me and say, hey, this is the new problem, Dejour, and we need a solution around it. I'll ask them, show me tell me three ways we can partially solve this same problem without that solution. Some of those capabilities exist in existing toolsets. Is it overlapping? Do we have something out there that we have not optimized entirely, that all we'd need to do is maybe buy an extra module or spend extra TLC on it and get it doing what it needs to do? Maybe so, maybe not. Maybe we really do need this tool. But when I found that when we step through the readiness questions of strategic, tactical, and maturity readiness, at the end of that equation, it becomes pretty clear what you need in your shop and what you don't. 

Brian Selfridge: [00:19:29] How important to you are sort of the process and procedural side of the components that go along with implementing technology. Do you push for formal procedures? But when you're getting that readiness phase, it's always a big debate, the sort of paper side of things of do we document procedures or not? Where do you fall on that sort of spectrum?  

Joey Johnson: [00:19:49] When you start talking about process, I think that that's really, really important. And that's one of the places where I kind of go back to the importance of having your organization engaged beyond just the security function. Because if you get the appropriate process in place, you can solve a lot of problems before they become problems. I mean, an example that I've used is with our third-party risk management team, we have a gal leading that team, and she's been extremely effective at engaging with the organization and implementing standards where they need to be. There's something that didn't have a standard, and we didn't need a solution around it. We could have gone and bought a solution to do certain things, but workflow automation or other things. But a lot of times it was just getting the right people into the conversation to talk about something and understand the problem needs to be solved. And that became not a problem anymore. I think there's a pretty common pitfall for organizations to spin, whether that's financial resources or people resources addressing a theoretical problem. That's not necessarily yet a real problem. And you can avoid it becoming a real problem by implementing the appropriate processes and procedures. So I think that that's really important. I'm not a really rigid person, but I do think that implementing the right framework to help your organization stay afloat goes a long way. 

Brian Selfridge: [00:21:10] So let's say you've done your readiness assessment, you've identified that, yep, we definitely need this technology. I don't know, I'll pick one for example, like identity and access management. Yep. We need some sort of provisioning tool to make it up. We've done our assessment. We've got the right people. We got it lined up. If you're giving advice to other CISOs out there just trying to make sense of this, what do you think are some of the ways and resources that you use to figure out, OK, I know the space I need to go after. How do you go about figuring out what's the right technology fit for you? Do you go through big formal requirements gathering stuff? Do you go to go to Gartner? Like what's your method to the madness there? 

Joey Johnson: [00:21:51] I think the right approach is going to depend on the skill set you have in-house and how much you trust them to independently evaluate those type of solutions and how educated you think they are in that space. You know, I don't always necessarily look to a Gartner or Forrester or anything like that, not to discount them in any way, not that I won't look at the material, I will. But that's not necessarily the first place that I start. The first place that I start is OK, we've decided that we need this thing. So let's stick with IAM, for example. Right. That's a great one because IAM can very quickly become a below-the-ocean project with massive scope. And so I say, OK, so we need a solution, I agree with you. What are the specific use cases that we're trying to solve with it? We know that we need IAM for provisioning. How? Why?  What does the solution solve? Are we automating getting something out a HRS system? Are we trying to deal with making on-boarding and off-boarding more efficient? Are we trying to really solve for access accreditation across various systems? What are the use cases specifically that we're trying to solve for? And I really try to make them go very granually through that. And then they put through that, it helps to build some functional requirements of what that end solution needs to deliver. And I found that when the team is armed with that knowledge, they can get a lot more granular with the different vendors to understand how they're going to meet that specific use case criteria. And that's when the real interesting questions start coming out like, oh, well, we do kind of support that, but you would need a third-party thing to do, X, Y or Z. And the answers start becoming really clear. Like, oh, OK, well, you're the industry leader, but we need this endpoint thing because we inherited a company, and they've got a bunch of Windows XP still running and we've got a two year run way until we can get rid of it all because there's too much of it. And your really cool industry lead endpoint solution doesn't really address old legacy technology. Well, that's a very interesting use case. Right. But an organization, if they don't identify that use case clearly, they're going to be unhappy with what they got, even if they got the best of the breed on the market. 

Brian Selfridge: [00:24:08] Now, with the trade shows you go to and the booths and everybody's new products are coming and going, and to me, it seems to be on this exponential curve upward. But just putting on your sort of crystal ball and your prognosticating hat, do you see this sort of vendor sprawl creep thing continuing for years to come? Or do you think that the market's going to consolidate back and rally around the semantics and fees, the big horses out there? I'm putting you on the spot with a bit of a futuristic question. It's always hard to predict, but do you see any trends there? 

Joey Johnson: [00:24:47] Well, I mean, you kind of led off with it. I mean, it feels a whole lot like the dot-com era, doesn't it? But I'll say this. I think that the stable large players in the organization, in the industry rather, they got staying power, they're going to go around, and they're going to continue to take the tact of trying to do some kind of Interlochen through doing acquisitions and getting you bought into their suite of products. On the other end of the spectrum, it's interesting. I see lots of very, very fragmented innovation. I see some really great ideas and technology products that aren't marketed well or articulated very well. They might be marketing something about their technology, and I'll look in and say, wow, you're completely missing the boat on your best differentiator. There are spaces that I think are just not highly differentiated that much. Like if you look at the endpoint marker right now, there's a bunch of different companies doing a bunch of different things, but none of them, I mean, there's been a paradigm shift there for quite some time. So I'm sure the vendors would argue with that. But there are no real massive differentiators there. I think that we're going to see a lot of stuff continue to follow the path of new things, new risk comes out, and then shortly thereafter gets commodities. That's what happened with Kazmi. That's what happened with NDM. That's what happens with DLP. That's what happens with a lot of these things is the bigger product suites will look and say, hey, it's not a heavy lift for us to either acquire that or to build that capability into our system natively. And the competition is not just in the security vendor space specifically. You see Microsoft doing this right. With all the things they offer in their E5-band. Right. They've got a whole bunch of IAM stuff in there and endpoint security stuff and NDM. I mean, you're seeing those guys kind of step into that space. Amazon's doing that. So it's really getting commoditized even down below that. I think that will continue. But I don't necessarily see the investor dollars drying up in the space any time soon because there's still a lot of gold pots to be found. And the other thing is that in this world, our adversary constantly has the same tooling available to them. So the cat and mouse game isn't going to stop anytime soon until it stops becoming valuable to be involved in cybercrime. And the goalpost keeps moving and the tactics keep changing. And the ways that people are trying to address that are going to continue to evolve. So we will continue to see new things. As technology curves outside of security continue to expand, whether that's in big data or AI or IOT or all these other spaces, security is going to inherently lag behind whatever that innovation is and have to find ways to kind of deal with it, address it and secure it. So it's not going anywhere. 

Brian Selfridge: [00:27:34] Keeping our futuristic hat on, I guess, what's our ultimate outcome here do you think? Is it to get these security capabilities baked into the business applications, baked into training and awareness where it's everybody's job, as you said, and the Microsoft's of the world, they come with DLP, right, it's just there already, or they come with two factors because that's what you do. Is that where we're headed, where security is becoming baked in more, or do you think we're going to continue with this sort of point solution, sort of firing lasers at specific problems forever and ever? What are your thoughts there? 

Joey Johnson: [00:28:12] Yeah, I mean, I do think that we're going to see it highly commoditized and just baked in natively. Right? And more and more because of security over the years, it was a thing off to the side for a long time, and it isn't any longer. It's a market differentiator. Organizations will win and lose business based on at least the perception of their security posture. People are not going to use banking applications that they don't feel are secure. They're looking for security in their social network platforms. People are looking for that now in the same way that they're looking for other feature sets that they want out of a user interface or anything else. So it's inherently going to be there. It's going to be baked in because organizations can't compete without it now. I think that that ship has hit the shore, and it's going to stay there. There will always be some degree, I think, of point solutions. But I think the market is getting hopefully a little bit more mature and understanding that the more effective they are at leveraging what they have at their disposal first will then lead to what they need to do from a point solution perspective. I do see things like all the emergence in the IoT space and wearable technologies and all that, creating sort of a new curve to deal with. For a long time, data was kind of this corporate thing, right? It's a workday to your work computer. You created it, the company owns it. That's kind of gone, right? I mean, all the data that's out there with the social media giants and all the data that's out there in the IoT devices and all the data that's out there in the wearables, that's only going to increase exponentially. And data ownership and the rights around who's responsible for that, and the security around that, that's still an evolving space. So there's going to be things coming to market to address that more and more. 

Brian Selfridge: [00:30:15] It's a great point, so as we move to this follow the data type of model and less about the four walls of a particular environment and protecting the information, maybe we can switch gears and talk a little bit about the regulatory space. I'm sort of in parentheses there, referring to the GDPR stuff coming out of the EU, the Global Data Protection Regulation, that's very much built that way right around it's all about where the data goes and putting wrappers around that and protections around that, as opposed to securing some big fortress somewhere. First off, you can agree or disagree with that, but do you see the regulatory side of things, either internationally, nationally, statewide, moving in that direction? Or what would you recommend, I guess, would maybe be a better question, because laws are usually sort of behind the times. Do you think that's where we need to go? Or how would you sort of shift the regulatory framework to keep up with that follow the data type of situation we have to deal with? 

Joey Johnson: [00:31:11] Yeah, I mean, I think this is one of the most fascinating things that we're staring down the barrel of, because from my perspective, humanity as a whole has never really faced this particular kind of conundrum before. When you think about legal frameworks, not only are they inherently kind of behind the curve of technology, that's always been the problem, but the technology just moved so fast that the law doesn't have a chance to catch up. I mean, just think of how we're struggling to even figure out how to regulate things like drones and the privacy implications there. But what also makes it interesting is that when you think about law, inherently, it's a framework that's built to govern a people and processes within some kind of border, whether that's a state border or a national border or something. It's a way to govern and maintain sanity around a certain group of people. Data doesn't care where it is. And it can flow through 15 countries in a millisecond and live replicated on 20 different servers and get morphed in various ways along the way, where that data ownership and the accountability associated with that becomes cloudy. And as it traverses all those national frameworks and different regulatory bodies, the laws, as well-intended as they are, enforcement is a real challenge, and attribution is a real challenge. I was talking with somebody the other day, he's a CISO over some cruise lines, and he was indicating just the complexity that they have to navigate having a floating hotel that's going from nation to nation to nation and then over international waters, all the things that apply there, and having to deal with all the different privacy ramifications. It's really complex. I think that we're going to see, globally, some shift towards the kind of standardizing that a little bit better. But the trick always is that the devil's in the details, right? I think that the legal frameworks are still really struggling with how to set of standard that has the right amount of applicability at the large scale as it does at the individual scale. And I don't think we've really solved that very well yet, to be honest. 

Brian Selfridge: [00:33:36] It would be hard to disagree with you there. I think the regs have a long way to go. I guess, at the risk of being entirely pessimistic about it, what do you think the current regulation landscape has right? What have we gotten correct here, whether it's HIPAA, GDPR, really anything out there internationally or nationally or even statewide? Is anybody getting it right, at least in pockets, or are there certain pieces that you think are worth really rallying behind that you can think of that are worth keeping around? And we'll talk about things that should go. But what do you think there? 

Joey Johnson: [00:34:12] Yeah, so they're all well-intended. I'm a bigger fan of sort of the industry frameworks more than I am of the state and government-oriented ones. I think that the states and the government, especially in the US at least, especially through NIST and things like that, do a good job of providing guidelines and getting some thought groups together to kind of build that, which is different than mandates. I think the compliance frameworks are doing a good job of kind of, you know, I look at like a juggernaut, right, it's going to slowly pull the tide where it needs to go. But it's not going to compete out front with the speed boats that are flying around. In our organization, obviously, we do healthcare from a provider perspective, and we're providing healthcare directly to large Fortune 500 companies and the like. And they are operating at an industry lead level, and they're expecting us to be there with them. And what I found is I think when you look at industry leaders, they are solving risk problems before there's a blueprint for how to address that. They were dealing with BYOD and the global concerns before those things had acronyms. And those organizations are going to overtime find some corollaries in the way that they're solving that. And that's going to turn its way into best practice. Then over so many years, that best practice will make its way into a compliance framework. And in that capacity, it's going to pool the rest of everybody else along. That's lagging. So I think that's a good thing. I don't think it's ever going to really change because as long as technology is outpacing the legal frameworks, we're going to have that challenge. But ultimately, I think the real question is, are we better off with them or without them? And I think certainly we're better off with them. But I think always with tempered expectations that they are not a panacea. You can be compliant and totally not secure. I think we all know that. So I think if you're looking for compliance to deliver security, you're probably going to be disappointed more times than not. But if you're looking for compliance to kind of set some kind of baseline to help keep the chains moving, then it is usable. But it's effectively the equivalent of moving into a house that's just barely passed inspection. But it has that inspection. 

Brian Selfridge: [00:36:28] So where do you think the regulations, and maybe it's more the mandate side, have really missed the mark? What do you think just has to go out of the enforcement or the regulatory side of things that are either baked into, I keep picking on GDPR, HIPAA is one that's been around for a while and might be getting a little stale. What are the aspects of any of the regulations you can think of that really need to go away? And you think we need to start moving away from the kind of thinking that maybe worked 15, 20 years ago but doesn't anymore?  

Joey Johnson: [00:36:58] Well, I mean, we'll take on HIPAA for a second. I  think the HIPAA approach to required controls versus those that are not, right, that's bad because you can't have a framework where a large healthcare payer invested billions and put all the right tools the technologies in, but it's a much bigger target, is battling to be HIPAA compliant. Whereas you have Dr. Joe's Vision Shop, you know, up in the farthest northwestern corner of Montana, also can say that they are HIPAA compliant, and they don't have half of the controls in place. Now I understand, obviously, there are scales of what organizations can invest in. But to be able to use a different measuring stick that makes those organizations come out on a different end of the equation is a broken model to me. So that's what I think on that one. You know, with GDPR, obviously for a long time the EU, or even before it was the EU, the European mindset around privacy has been much more stringent than we've had here in the States, I think. The problem with GDPR, again, I think is the enforcement aspect of it. Because it's kind of an arbitrary bazooka that's being carried around. But the ability to really, truly distinguish who has what data and how it got there and placing accountabilities in organizations for some sort of adherence because of it, I think that's going to get very, very complicated. I think when you start again talking about things like in healthcare, like wearable technologies, that you got some Fitbit that uploads some data somewhere in the cloud, and they push that data on the back end of some analytics place to generate some results in that analytics, you know to push that data somewhere else, I mean, it becomes very, very complex to try to ensure enforcement there. The same way we saw with HIPAA, and then we had to see the omnibus come out to say we didn't quite get it right. I think we're going to see a similar path happen with GDPR. I just don't think it's fully baked yet. I think it's well-intended, but maybe not fully thought out. 

Brian Selfridge: [00:39:23] I guess we have these supervisory authorities, whatever the enforcement folks are on the GPS side. Do you think, and this is total speculation but that's what we do here, do you think they'll sort of making an example of some folks this year or next year just to say, hey, GDPR is for real, and we're going to go out and hit some big targets and make a fuss? Do you think it's more likely we'll see some tweaking and tuning based on industry reaction before the enforcement really hits? I realize that's total speculation. I'm just curious if you wanted to guess at it. 

Joey Johnson: [00:39:57] Yeah, we'll see both. We're going to see the organizations tweaking. We're going to see tweaks to the GDPR framework itself. But we are definitely, I think, going to see them go out and prove that they've got some teeth. And then I think it's going to be a really interesting sort of who's going to lawyer up more battle to watch because there are so many ambiguities in it. Sometimes I'm very, very skeptical about when government-oriented frameworks come out because they start out well-intended. They don't always get the right stakeholders out there building them. So somebody says, you know what we should do, here's a great idea. This kind of thing shouldn't be able to happen from a privacy perspective, and they'll make a sweeping mandate without really understanding what that means. And you see the industry kind of respond and shrug their shoulders and say, how are we even supposed to accommodate this? I mean, we saw this happen with meaningful use. We saw this happen with some of the omnibus stuff like it's not even practical to do what you're saying to do, and it's hard to understand when you're complying and when you're not, because there's so much ambiguity to it. But I definitely think that because of all the buildup that's happened around GDPR, we're definitely going to see them start going after some organizations. What comes of that? I think that will be, get your popcorn ready and we'll see. 

Brian Selfridge: [00:41:19] How do you rank GDPR in terms of the prioritization of things you have to worry about? What I've heard from some entities is, look, I'm behind on HIPAA stuff, and I've got to catch up there. I've got my implementation of my favorite security framework, and I'm behind on that. I really want to keep focus, and I've got state regulations to deal with. And then there's this GDPR, which is the new kid on the block. And it's the big elephant. It's like this huge kid on the block. Where do you see the prioritization? Is everybody stopping right now to say, OK, let's stop everything, we've got to get GDPR compliant? Or is this like, we'll watch it, wait and see and then decide how big of a deal it is? Where do you think it stacks up? 

Joey Johnson: [00:41:59] I think organizations are taking tactics all across the spectrum. All I can speak for is our philosophy and our approach, which is the way that it is with every other compliance framework. We're going to build a secure organization that takes into account all the security controls and all the privacy controls and all the ethical controls that we know need to be in place. And we will see what shakes out the bottom of that. Our experience has shown we usually have very few gaps to cover to make sure that we get fully compliant. I think that if you're addressing a material one, if authority comes knocking on the door, usually they are going to start taking enforcement action where they're finding negligence or they're finding deliberate avoidance of implementing controls and really poorly implemented controls. They're not going after the organizations that are trying and understand the risk posture. So I think that if you start there and then kind of map backward to the compliance frameworks, the benefit that we do have is there are a lot of common controls frameworks out there. The CSA has some, and obviously, HITRUST has its own take on it. And there are different common controls frameworks that take in the key majority ones. So you can kind of map across it. But if you focus on the controls that you need to have in place, I think which one of those frameworks you focus on is going to depend on your business model and frankly, where you're going to get the most scrutiny from. But I think that if you just address the controls first, then you'll get to the landing place you need. 

Brian Selfridge: [00:43:39] Well, I'm sad to say we're coming up on time a bit, I've got a ton more I'd love to ask you, but in the interest of letting you get back to solving all these problems, I'll ask you one more. And it's a bit of a broad one. We've talked a bit about the evolution of the security function here from, it was a bunch of folks that used to do non-security stuff, and then we all figured out how to become security people and start to solve the first wave of problems, and now we've got universities kicking up cybersecurity professionals, and they're getting trained up and getting experience. What are the next 10 years, let's say, look like in the security field? Is it more automation? Does the technology ramp up? Does the role of the security team change based on that technology, getting the security technology, getting baked in? What are some of the characteristics that you think a security program will look like 5 or 10 years out that may be different from where we've come from? 

Joey Johnson: [00:44:40] Well, I would say based on the emergence of all the IoT stuff and all the medical device stuff and all the wearable technologies, we're going to continue to see exponential growth in those things. And we're going to see a shift in what the consumerization of the security market looks like. I mean, for a long time, that's just kind of been antivirus and maybe your LastPass or your password post or something like that, I think we're going to see that market kind of mushroom, as well, as individuals begin to take more accountability for their own information and don't necessarily rely on the backend organizations to do that for them. I certainly think that we're going to continue to see a growth in the buzzwordiness of AI and ML, they kind of annoy me because they're not necessarily anything new. They're a little bit of marketing jargon around it. But the fact of the matter is, the volumes of data are going to consistently, exponentially outpace the people's ability to ingest that and make any kind of rational sense out of it. So without better models to really deal with that and models that are usable to the lower end of the spectrum, as the Googles in the Amazons of the world are not going to be the only ones that are going to be really proficient at this, we're going to see a shift in that, I think. I definitely think we're going to see more international collaboration from the legislative front of what to do with data, because just like we hit a global economy so long ago, we were hitting a global sort of data movement environment and data ownership environment, where those lines potentially will be harder to draw, and we're going to need better frameworks that are more collaborative to do that. And so I think we're also going to start seeing a shift in the questions that we're asking around security. We're going to start to make different assumptions. We've heard the assumption of assume your breach. I think we're going to start seeing the assumptions kind of shift to like, let's assume that our adversary already has all the data. The question becomes, and they already have the control of, say, the OT data networks, the question becomes, how do we get more predictive about what they're going to do with it? It's sort of that next set of questions of, OK, let's assume that the initial hail is already taken and compromised in protecting it, while it yields some benefit, the real question is what happens next now that all those assets are compromised, and how do we shift models to be more predictive and kind of that next step of what gets done with those compromised assets? I think we'll see a lot of that start to emerge. 

Brian Selfridge: [00:47:04] Excellent. This has been a fantastic conversation, Joey. I can't thank you enough for taking the time to think through this with us. We'll see how our predictions turn out. They all sound pretty sound to me, but time only tells, as this industry moves fast for sure. But I want to thank my guest, Joey Johnson, who is the chief information security officer for Premiss Health. Thanks Joey so much for joining us, and we are looking forward to hearing more from you in years to come, as we try to tackle this together. 

Joey Johnson: [00:47:31] All right, thanks a lot. 

Brian Selfridge: [00:47:37] Again, I would like to thank our guest, Joey Johnson, who is the chief information security officer for Premiss Health. Joey shared some great insights with us about how to build a security team and retain top cybersecurity talent. Also, how to navigate the growing vendor landscape of cybersecurity technical solutions. And we also covered trends in cyber law enforcement much more. 

Brian Selfridge: [00:47:57] As always, we would like to have your feedback and hear from you, our listeners. Feel free to drop us a note about what topic you would like to hear about or a thought leader you would like to hear from. Our email address is [email protected]. Thanks so much, and we look forward to having you join us for the next CyberPHIx podcast coming up soon. Thanks.