The Cornerstones of Healthcare Security Teams: Talent Recruitment and Training

PODCAST TRANSCRIPT

Brian Selfridge : [00:00:16] Hello and welcome to CyberPHIx, the audio resource for information security, privacy, and governance, specifically for the healthcare industry. I'm your host, Brian Selfridge. In each episode, we will be bringing you pertinent information from thought leaders and healthcare information, security, and privacy. In this episode, we will be speaking with Dr. Pablo Molina, who is the AVP and Chief Information Security Officer for Drexel University, which includes the Drexel School of Medicine. Dr. Molina has an extensive background in higher education and healthcare roles, and I'm excited to speak with him about training and building the next wave of the cybersecurity workforce. We would also like to hear from you. So if you have a specific topic or thought leader that you would like to hear from, just drop us a note at [email protected], that's [email protected]. Now let's get to our interview. 

Brian Selfridge : [00:01:15] Hello, this is Brian Selfridge, host of the CyberPHIx, the industry's leading podcast for information security and privacy, specifically for the healthcare industry. I'd like to welcome my guest, Dr. Pablo Molina, who is the AVP and Chief Information Security Officer for Drexel University, which includes the Drexel School of Medicine. He's also an adjunct professor at Georgetown University, where he teaches graduate courses in ethics and technology, and information security. Dr. Molina also serves as the executive director of the International Applied Ethics and Technology Association. Prior to those roles, he has had an extensive career serving as CIO and director of I.T. for several major universities across the country.  

Brian Selfridge : [00:01:54] I'm very excited to speak with Dr. Molina today about training and building the next wave of the cybersecurity workforce and tapping into his experience in helping to build universities and academic medical centers and the like over the extent of his career. So, Dr. Molina, Dr. P., welcome to the show and thank you so much for taking the time to be here with us. 

Pablo Molina : [00:02:14] Thank you very much for having me here in the show. 

Brian Selfridge : [00:02:17] Well, I'd like to start off getting just your understanding of what is the marketplace looking for with respect to cybersecurity talent these days? It seems like the roles keep changing. Sometimes we need more executive-type folks, sometimes we need more hackers and pen testers and hands-on security people. What do you think are some of the top skills in demand for maybe candidates, for students that are entering the cybersecurity field these days, that you would see, you know, worth putting some energy behind? 

Pablo Molina : [00:02:53] Well, like in every profession, you can imagine that the workforce looks like a pyramid. And at the bottom of the pyramid is where you have the most people who should be working in cybersecurity. These are the people who are going to be doing the bulk of the work. They're going to be doing vulnerability management and vendor assessments and responding to first-level incidents. And that man or woman is in the security operations center. Next to them, you have people with high-level skills, people who can escalate some of the issues can make some judgment decisions. And then at the very top, what you will have is the CISOs, who are the ones who are able to communicate with the board and the executives, who are able to make really difficult decisions and set a strategic path for the information security program. Now, interestingly enough, we're looking for people at the bottom of the pyramid. The reason why there's such a shortage of technology information security professionals is that even at the bottom level of the pyramid, you still need many more skills than you do for similar professions. 

[00:04:01] So first, you need these people to have a deep, clear understanding of technology across the board. They need to know about networking. They need to know about software development. They need to know all the things operating systems that a technologist needs to know about. On top of that, they also need all the knowledge that comes with information security, even at a basic level, things like vulnerability management and firewalls and antivirus software, some basic information about threats and the web, as well as general concepts like risk management and vendor assessment. And then, to make matters more complicated, you need the same skills that you need in anybody who's an information worker. So first you need to have critical thinking skills. That is being able to think carefully about problems they've never encountered before. They just information, determine what's important and relevant versus those things that are not that crucial in making decisions. You need people who can get along well with others because nobody works independently. And finally, whatever business you're in, you need people who understand the intricacies of the business. If you're looking for security people in healthcare, you need people who know what the healthcare business is about. They understand the terminology. They understand a little bit of the legal and compliance framework that goes with that line of business. 

Brian Selfridge : [00:05:24] Now, how do you deal with trying to find the right mix of skillsets? So are your ideal candidates that you're looking to bring in at the entry-level of the pyramid, or are you specializing where you look? Do you think there's a need for a legal compliance and security controls person versus a more IT infrastructure skill set versus someone else? Are there unicorns out there, where you find candidates that have all that? Or are you willing to settle for something less than that? 

Pablo Molina : [00:05:54] Well, I only settle for the best, for the best that I can afford that is. Because it is clear that both in healthcare and in my case in a university, our salaries are oftentimes not as competitive as those offered by large corporations and the private sector. We may have outstanding benefits on the side, like, for example, free tuition, discounted tuition, good retirement plans. But in the end, the compensation is not as competitive. So that said, I'm looking always for candidates under the old adage that says, hire for talent and interest and train for skill. If I find the right person with a basic understanding of technology but a mature understanding of technology, somebody with a college degree, then I'll be happy to train that person in the specifics that I need them to know, be that forensics, risk management, some of the industry certifications, advanced firewall configuration or incident response. So in the end, I am flexible, and being flexible is also important in order to find a diverse workforce because otherwise, we end up with a bunch of employees who are all of the same gender, the same age, and the same professional and academic background. 

Brian Selfridge : [00:07:12] Well, many of our listeners are in the healthcare arena specifically, so I want to talk about that a little bit. Are there skills that the healthcare, cybersecurity function would need or desire that might be different from the rest of the industry in terms of understanding the business or the complexity of a typical health system in the applications that are used? Is there anything that you would look for that would give somebody a leg up, if they were looking at healthcare cybersecurity versus other industries? 

Pablo Molina : [00:07:43] I would argue that many of the skills are transferable across industries, except two particular issues that are very unique to healthcare in my opinion. The first one is the culture of healthcare, where people you say work in healthcare because they want to help others and heal the sick. The truth of the matter is that there's a very unique culture with very competing needs when it comes to working with the insurance providers versus the administrators versus the faculty and staff and the patients themselves. So understanding that unique culture can help a security analyst or an information security professional thrive in healthcare. It's not easy, for example, to mandate all the doctors in a new facility to adopt a new information security defense that is going to make their life a little bit more difficult without explaining to them what the real value and need are for that new line of defense. The other issue that I can see is very unique to healthcare and is something that information security candidates should take into account is HIPAA, Health Insurance Portability, and Accountability Act. This makes this environment and the storage and processing of health information and health record heavily regulated. Hence, information security professionals need to be familiar mostly with the security rule but also with the privacy rule and other rules that have to do with the management of HIPAA information. 

Brian Selfridge : [00:09:19] So we've been talking about skills that you have a need for. I presume some of that is filled by the university for entry-level positions, sort of collegiate level training. Do you see many career switchers coming from other industries and skill sets that are able to make the leap into cybersecurity? And what types of careers do you think transition well into cybersecurity? Is it I.T. folks with I.T. roles previously or even legal and privacy? Are there certain career candidates that might transition better into cybersecurity than others? 

Pablo Molina : [00:09:55] So the US workforce is one of the most agile in the world. When there are opportunities in other parts of the country, in other fields of employment, you know, this being an efficient economic system, people will jump into those. So many people are transitioning into cybersecurity from other carriers. In my experience, the most successful ones are the ones who already have some sort of information technology role. Hence they were good at what they were doing, and they were already in a certain demand. But they realized that the demand is much higher in information security than it was in information technology in general, particularly people whose jobs have been displaced, as companies embrace the cloud services more than they did on sight, on-premise infrastructures. 

Pablo Molina : [00:10:43] The other group that I found very fascinating of people who tend to be very good in information security are the ones I recruit from our own criminology program. I hire some of our own graduates from the criminology department, and whereas I realize that they may lack some of the deep information security and technical skills required for the profession, that instead, they have a deep understanding of the legal and regulatory environment and also a very, very good incident response, being able to analyze cases and situations, being able to communicate and present information well and good critical thinkers capable of distinguishing what's truly important from the least important information. 

Brian Selfridge : [00:11:29] That's fascinating. I think, and I'll have to be careful, I'll have to go check out your program now and the criminology students and hopefully not compete with you for the best ones, but that's fascinating. 

Brian Selfridge : [00:11:41] And since we're talking about the university side of things, how are you seeing the types of curriculum and programs that are coming out around cyber, around management information systems, some of these other degrees? Are you seeing the degrees and the skill sets that are being trained? Are they matching up with the skill sets that you've outlined earlier around the need to have that networking infrastructure, the security background, the legal privacy? Are you getting that from the university market right now? And if not, are there any gaps that you think are worth improving upon? 

Pablo Molina : [00:12:15] Many universities, including ours, have had cybersecurity problems for the last few years, and sometimes with incentives from the federal government, we've been able to update those programs and get even better candidates. But the truth of the matter is that there's always a discrepancy between what the job market requires at a given time and how fast universities can adapt their curriculums on their course offerings in order to fulfill those needs. So what happens is that we find ourselves sometimes teaching more obsolete technologies, whereas we're very good at the theoretical models for risk management trying to convey an understanding of the overall information security figure. In the end, it's a combination. It's a combination of education in the classroom, together with practical training and experience that will make those new graduates into strong entry-level cybersecurity practitioners. 

Brian Selfridge : [00:13:17] Well, many of our listeners here are chief security officers, chief privacy officers, directors, managers, and all the way down the line in healthcare security roles. Is there a forum or forums that you're aware of where folks with experience in the industry can give feedback back to the universities on what types of skills are evolving and how cyber's changing and what types of curriculum might be appropriate? In that type of conversation welcome, I guess, from the university side from what you've seen? And is there a way that we could recommend to our listeners to sort of getting plugged in and help drive that conversation? 

Pablo Molina : [00:13:52] It's a great suggestion. Many of us have advisory boards around the programs where we teach cybersecurity to new graduates, both are down the graduate and the graduate level. So I encourage you to connect with your alma mater. If that was where you studied cybersecurity or simply to work with local universities to get involved precisely with those advisory boards. We're eager to hear what is it that you think you need. And also, there is a great way to do this, particularly for those in the Philadelphia area or region, and even beyond that, I'm going to put a plug for our graduates. They have to do their practical training to cops in their careers. And I encourage you to consider hiring some of them. Now, you're going to have to compete with me because I try to hire the best and brightest, but perhaps I can do one call problem with me, one with you. And this is a wonderful way for you to be involved with the academic administrators and to provide some feedback to us through their cops, their experience, and any gaps that you may have observed between the skills that they arrived with and those that you needed them to have by the time they departed. 

Brian Selfridge : [00:15:03] I will further your plug. I'll double your plug here, as we've actually had some amazing leaders in our team come out of your program, The Drexel Program as well, so it's good. They're in high demand and a great group of folks. So we're talking about skill sets that we need today. We're talking about the universities today. Let's talk about tomorrow a little bit. And it might even be literally tomorrow at the pace that cybersecurity and the healthcare industry are evolving. What types of skills can you foresee the universities going forward needing to develop capabilities around? And this is a little bit of crystal ball projection, futuristic stuff. But, you know, do you see skills around artificial intelligence or analytics? What types of skills are changing the cybersecurity that we might start thinking about universities getting ahead of in the coming years? 

Pablo Molina : [00:15:59] I think that we can look at the analogy, for example, of doing calculations. You know, we used to be trained traditionally in doing calculations with pencil and paper, sometimes with handheld calculators. Fast forward, we don't teach a lot of those skills anymore. Instead, we teach students how to use statistical software and be able to interpret and use this statistical software to solve business problems. So likewise, we may not require our students because that is a very highly advanced skill to be able to design their own artificial intelligence applications and machine learning applications. But the truth of the matter is they need to be able to collaborate with those tools and get the most value out of them. So the people who become familiar with how these tools give us threat responses, help us do an analysis of incidents, they help us examine and evaluate our security posture and our risk management and then digest the information and translate those into concrete actions for the business. I think those are the people who are going to have the right skills in order to move forward, in order to bring value into their businesses.  

Brian Selfridge : [00:17:14] With the great variety of degrees that are available in the university system today, are there any degrees or areas where you think universities are over-investing in building skills and capabilities? For example, I often get candidates that aren't trained in security forensics or ethical hacking and penetration testing. We do some of those services, but there's not always a huge demand for somebody to be dedicated to forensics or hacking stuff. Unnecessarily, I mean, the jobs are out there, but it seems to me there might be sort of a larger volume of those candidates because those are very fun, exciting majors and focus areas. Are you seeing any areas that perhaps the universities are churning out too much of a certain skill set? Or are we so far behind now that we'll take anything we can get, any degree is a good degree? 

Pablo Molina : [00:18:15] I think you hit the nail in the head. Right now, we'll take anybody and we'll try to train them across the board in however many domains you want to divide information security. Now, the truth of the matter is, of course, it is much more glamorous to do ethical hacking and penetration testing than it is to do risk management or vendor management profiles. But in the end, this change will be exposed to all of them because we give them a comprehensive curriculum. Now, it is possible that some students end up being attracted to some of these degrees for the wrong reasons. That could always happen. And for those two things can happen. They either realize that the job is not what they were expecting, and they were sometimes disappointed and unhappy, or sometimes, they will just adjust their expectations, where they can continue to do ethical hacking, and they can do penetration testing through back bounty programs on the side, whereas they do the day to day information security operations that the organizations need them to do. In the end, I think that this is a hit and miss for everybody. We all try to adapt and move forward and prepare the next generation of security professionals, but nobody knows exactly what those people are going to be doing. Hence, we all try our best. 

Brian Selfridge : [00:19:35] I think it's interesting you mentioned folks getting in roles, and they may not be what they expected. Just a quick anecdote. I had a friend years ago. It was a long time ago, but they took a job doing forensic projects, forensics work, and I sat down and asked them how's it going, it sounds really exciting. They said, you know, I'm just sitting and looking at logs all day and all night. It's an emergency, and we're trolling through logs and maybe we find one little nugget every day or two. I said that's really tedious. I said, yeah, that sounds like forensics, but I don't think it's always portrayed that way when you sort of hear about it. They are no longer doing forensics, by the way. They did find a different career path. 

Brian Selfridge : [00:20:18] So, Dr. P, you mentioned training up the team. And, you know, we bring people in, and we're going to train them on the job, get them the skills they need, and have them learn here. I want to talk a little bit about some ways in which you've gone about doing that and some areas may be that work better than others in getting team members to be better-rounded, more across those set of skill sets that you highlighted earlier, and able to progress through their careers. What are some of the types of resources and approaches that you've taken, even just at a high level to get in your workforce trained on the areas/those skills that we've talked about so far? 

Pablo Molina : [00:20:57] It takes a village to do information security. And as I mentioned, oftentimes I hire people who have less than the optimal combination of experience and credentials. Hence, I have to augment those. And the way I do it, for example, is I'm very interested in them gaining credentials. In my case, the certified information systems security professional is a good credential. It's a generic one that shows an understanding of a number of different domains within information security. So for that, I've done training in-house, self-directed with an instructor, and then I support him in preparing for the exam and passing the examination. Because the idea for me, in the end, is that most of my team members have a graduate degree as well as certifications. 

Pablo Molina : [00:21:49] There are specific tools that they need to learn how to use, in our case, tools like Splunk, for example or Palo Alto. For those, I rely on the available corporate training options. Some of them are free because I sign up at Drexel University to be able to take those courses for free. As long as you register with the Drexel.edu address. Some of them you have to pay and send people to the conferences where all the spelunkers get together, and they can discuss their tricks and go to advanced labs and other options like that. And then I'm also a firm believer in mentoring. And there are people in my organization, as well as related technology organizations within the university, who are very good at what they do. So I believe in cross-training personnel, in setting up Brownback meetings, in getting all the software developers together to teach each other's tricks of the trade. I believe in bringing colleagues from other institutions who will speak to my workforce and inspire them to learn new things and share some of the tricks of the trade. 

Pablo Molina : [00:22:52] You mentioned certifications and getting folks the certs and getting trained up for those. I often get that question from our sort of junior level team members that are trying to figure out which certification should I go for, and of course, that depends somewhat on their career path. But do you have any preferred certifications or favorite certifications that you think really are a step above the others? 

Pablo Molina : [00:23:16] I personally hold caringly the Certified Information Privacy Professional Certification and the Certified Information Systems Security Professional. I believe the last one Certified Information Systems Security Professional, it's a very solid one. It covers 10 different domains of information security. It's been around for a number of years and has many iterations of the content and the administration of the exam. So it's a good way to show independently that somebody knows a great deal about information security. Others that are much more specific are the ones for audits, the ones for privacy, as I mentioned, the ones for specific systems like Cisco, certified ethical hacking. You know, all of them are good. How good is hard to tell. Really, for me, one certification that's kept up to date with continuing education credits is really what's important. And I strongly encourage people to consider before taking a certification whether or not they're going to have the time and the money to keep that certification active. For example, at one point in time, I was both a certified Novell engineer and a Microsoft certified systems engineer. I let both of those credentials expire because this is not my job anymore. 

Brian Selfridge : [00:24:39] So our field moves so rapidly. A lot of entry-level folks in the field have the choice of do I get a bachelor's degree than pursue certifications? Do I go for the graduate degree and get the master's and go that route and then get certifications or maybe some of all of the above? I think there was a news article recently where one of the major corporations, who is actually escaping me at the moment, but announced they're no longer requiring bachelor's degrees as a mandatory requirement for all positions. And so it's sort of stirring this debate. And I've always felt there's an open conversation needed in cybersecurity that, you know, how far do you have to go down the educational path or is it better to just get out, learn the latest tools, get that mentoring from somebody, a great leader like yourself, and is it better to go that path and get the experience? Do you have any guidance for the younger, maybe not younger, folks getting into cybersecurity of whether it's worth going bachelors and certs or go for that master's degree? Do you think there are tradeoffs there that are worth discussing? 

Pablo Molina : [00:25:47] I think that there are two clear paths to succeed in information security. One of them is traditional by which you will get a bachelor's, maybe even a master's degree in due time, combined with one or two certifications and certainly the experience. And with these, you'll be solid cybersecurity professional. How high in the ranks depends on your talent, your effort, and your luck. The other path is completely different, it is a much faster track. All you have to do is become a very good hacker, spend two to three years in a federal penitentiary and once you're out released on parole, then you can work precisely in the field and command your own salary. But you have to be able to put up with that time in a federal penitentiary, sometimes in solitary confinement. Perhaps I'm joking here, but really the important matter is that you need the education, and you need a third-party validation, which gets you through the education or the certifications, and you need the experience. 

Pablo Molina : [00:26:49] I think that people who don't have a bachelor's degree are shooting themselves in the foot. There are many ways to get a bachelor's degree. It could be a traditional university like ours. It could be less traditional, like some of our online or hybrid programs, or it could be something completely different, like the competence-based bachelor's degrees offered by Western Governors University. Either one of those goes through a corporate and organizational structure. Without a bachelor's degree, it puts you at a severe disadvantage with all the other people you're going to work with: lawyers, privacy experts, doctors, nurses, business people who already went through college and had a bachelor's degree. Those people can demonstrate that they can read, they can communicate, they can think clearly, they can go through a complex program of a study and finish what they do. When you don't have that academic credential, maybe you're capable of doing all those things, but you haven't demonstrated that you're able to do it. 

Brian Selfridge : [00:27:49] So we've been struggling as an industry with just the overall shortage of talent. We've talked about universities and that's a great source for entry-level folks. Experience and resources are harder to come by depending on the experience you're looking for. And that shortage has led to a lot of leaders looking for creative ways to find new talent that they can bring into the organization, into the cybersecurity program. Have you had to go out of traditional circles to find talent or do you have enough pumping out of the university that you have there to fill your requisitions or are there any creative ways you've had to find people from different backgrounds? 

Pablo Molina : [00:28:32] I'm always scouting for talent, and one of the reasons why I'm scouting for talent is because there is a major problem with diversity in the information security profession. There are very few women. There are few minority candidates. And in order to interest those in careers in cybersecurity and be able to hire them, one has to be extremely proactive. So to that end, I was one of the early members of the Hispanic Information Technology Council for Hispanics in technology, including cybersecurity. And I was also one of the sponsors for the Women in IT Group here at Drexel University. So what I had to do is every trick in the book, from finding candidates who maybe did not think about cybersecurity as their first career, but they were interested in technology and then letting them explore through an internship the opportunity to do this and find out whether or not they like it to accepting people with different credentials, where you realize that some skills may be more important than just the traditional set of skills that we tend to ask from every candidate, so you can evaluate them in different positions. 

Pablo Molina : [00:29:42] On occasion, whenever we had a candidate that particularly had the expertise that we needed in one unique field, sometimes you even have to bring them from other parts of the country or even other parts of the world so that those people can join your team temporarily and bring the talent that you need them to bring in the team. And then also, take advantage of the unique organizational situation that you have. In my case, most universities are generous with tuition benefits. This means that if I have a person with a bachelors degree who's interested in this field, who's trying to get a master's degree, perhaps the total compensation with tuition benefits for that person would be very, very interesting, much more so than maybe finding a job that pays 30 to 40 percent more than a corporation. 

Brian Selfridge : [00:30:30] Well, Dr. Molina, this has been a wonderful conversation. I'd like to just close with one sort of final question here around any words of wisdom you have for the security leaders that are out there trying to find the right talent, trying to make sure they build their teams appropriately? We've covered a lot of ground here, so perhaps we've covered it all. But anything else you'd like to add to the conversation that you think should be on the radar of hiring managers, as they're looking to build their teams? 

Pablo Molina : [00:30:59] So I would like them to think that the threats are very diverse, and the bad guys are also very diverse. So they need a diverse workforce in order to protect the people, the information, and the systems of their organization, in order to manage the risk that their organizations are exposed to. So I encourage them to think outside the box when recruiting talent, not only recruit people who are like you, you know, went to the same school where you went and went through the same career path that you went through. Perhaps that was great and this is why you became a CISO. But there are many ways to achieve competency: experience and knowledge in the profession. And I want my colleagues to consider all those different avenues, so we can bring more diversity into the profession. 

Brian Selfridge : [00:31:47] Wonderful. I think that's tremendously helpful. Thank you so much. I'd like to thank my guest, Dr. Pablo Molina, for a wonderful conversation on where we are with the recruiting and the training of the cybersecurity workforce. Dr. Pablo is the AVP Chief Security officer for Drexel University. Thank you so much for joining us, I really enjoyed the conversation. 

Pablo Molina : [00:32:09] Thank you very much, Brian. And listeners, it was a true pleasure, and for those who would like more information about any problems, please don't hesitate to find me online. If you are not a vendor, I will most likely reply to your messages. 

Brian Selfridge : [00:32:33] Again, I would like to thank our guest, Dr. Pablo Molina. I very much appreciated Dr. Molina's insights into training and building the next wave of cybersecurity workforce members. The emphasis on identifying a diverse workforce and continuing education and training and development are definitely key takeaways for me from this session. In addition, of course, to make sure to emphasize that we hire students from the Drexel program, obviously. 

Brian Selfridge : [00:32:58] As always, we would like to have your feedback and hear from you, our listeners. Feel free to drop us a note about what topic you'd like to hear about or a thought leader you'd like to hear from. Our email address is [email protected]. Thanks again for joining us for this episode of CyberPHIx. We look forward to having you join us for the next session coming up soon.