A

You're listening to the Cyberwire Network powered by N2K. Welcome to Afternoon cybertea where we explore the intersection of innovation and cybersecurity. I'm your host, Dan Johnson. From the front lines of digital defense to groundbreaking advancements shaping our digital future, we will bring you the latest insights, expert interviews and captivating stories. To stay one step ahead. Today, I am thrilled to welcome Rob Suarez, Vice President and Chief Information security officer at CareFirst Blue Cross Blue Shield. Rob, welcome to Afternoon Cybertea and thank

B

you so much for having me.

A

So, Rob, let's start with your career. Your career path from software engineer to medical device security and now leading in enterprise protection. For millions of healthcare members, it reflects both technical mastery but also mission driven leadership. What personal philosophy drives your approach to cybersecurity in a field where trust is definitely life critical?

B

Ann, it's so humbling to hear you describe my career that way. My background, as you mentioned, is in technology, but my passion is in healthcare. And when most people think about cybersecurity, they think of technology. My personal philosophy is that under the layers of technology, there is a human element to everything that we do in cybersecurity. And there's a moral responsibility that guides decisions. It's not just about protecting systems, it's about protecting people. And in healthcare cybersecurity, it is inseparable from patient safety and digital integrity. This applies to anyone, not just the cybersecurity professionals, but also business leaders and individuals across many functions. Every decision to prioritize the cost and effort of cybersecurity is guided by the principle of safeguarding technology is also safeguarding health.

A

I do think that you live in a different world than we do. And at Microsoft, we often say that security is the foundation of trust, that earning and maintaining trust requires our transparency, accountability, resilience, and everything Microsoft builds and delivers. I've heard that you've echoed a similar belief in saying the quote, everyone deserves trustworthy healthcare. How would you define trustworthy in a digital health context? And what does it take to embed the value across all systems, teams and partners that make up CareFirst's ecosystem?

B

Well, Ann, you're absolutely right. I have characterized trust in that way when it comes to healthcare, cybersecurity. Because when you're sick and you need health care and you show up to a hospital, for example, sometimes, oftentimes we don't get to choose the healthcare technology that we interact with as patients. We have to assume the trust of the healthcare institution that's providing these services for us. Resilience in healthcare goes beyond technical recovery and metrics. It means the continuity of care and the confidence in the systems that we rely on during a disruption, during a cyber attack. And when there is a significant attack on health care systems, those are attacks on individuals and their well being. In healthcare, we focus on business continuity, crisis management and cyber incidents to ensure that the care can be received with minimal, if no delay and adapting rapidly without compromising patient trust. To put it simply, exercises and all of the KPIs that we measure not only pertain to systems and their recovery, but also the ability to maintain essential health services when essential health services such as payment systems are down.

A

That's incredible context because I think we often think about your patient care systems, the actual provider systems that you deliver care on, but there are also not just clinical systems, there's financial systems. And it is a very interconnected ecosystem between payers, providers, device manufacturers, and of course, you're in a heavily regulated industry with the actual patient care experience and life safety at the end. So how do you protect this type of system where there is this deep interconnected ecosystem from the payers, the providers, clinicals, financials, everything that's involved. And also, I know you have a lot of experience in devices too. How do you protect it when there's no true owner of the entire surface area?

B

I'm a firm believer that in order to match the pace of cyber attacks and what criminals and threat actors are doing to exploit healthcare, we also have to practice absolute transparency and collaboration in protecting those healthcare systems. And so this means being transparent about security risks, vulnerabilities that exist in healthcare technologies. It means working across various types of organizations on the shared responsibilities that we have to design for security in mind, but then also put it in practice and provide defense in depth. This applies to our third parties as well, that we use in healthcare. Many different third parties that we use in healthcare, Microsoft being one of them as well, that may not necessarily be a healthcare company. And there are things like governance structures that are helpful in providing that type of oversight and continuous monitoring and accountability for organizations and our third parties. But I think the other part that's really important, where we have no true singular owner of an attack surface, it's also promoting a culture where innovation in health care never comes at the expense of trust.

A

I think that sounds really like the right philosophy. Right? Innovation doesn't come at the expense of trust. There's a lot of trust factors and a lot of them are external. You know, I sit on the board of a Healthcare data company. So we're downstream of care, but we spend a lot of time thinking about privacy, security of patient data, making sure that we're anonymizing or tokenizing the right data. Because one of the things, and one of the things I know you think about is that the healthcare sector is facing escalating ransomware attacks, escalating data breaches. When you think about those vulnerabilities, do you think that technical or cultural are the most important? And how do you across the company, right across the org, how do you get leaders to really focus on both the technical and cultural aspects?

B

Great question, Ann. I believe that the cultural gap is often underestimated. Complacency and lack of cyber literacy among non technical teams. Not everyone can be a cybersecurity expert. In fact, I would argue who is truly a cybersecurity expert. But training and education and empowering people with information is one of the most powerful things that organizations can do to address vulnerabilities. If it's a software engineer who is writing software, it's understanding secure coding principles. If it's a system administrator configuring cloud infrastructure, then it's understanding system hardening standards as well. And even for those non technical professionals across an organization like accounts payable and understanding how to spot phishing emails, or perhaps it's now human resources and our talent acquisition partners being able to identify deepfakes, impersonating candidates, applying to remote worker positions. These are the many ways that we try to close the cultural gap in appreciating understanding the importance of cybersecurity and what to do in the cross section of those types of issues.

A

I think that's a great approach and I do think that you're finding and striking the right balance in what is a very difficult environment. We talk a lot in cyber, as you know, about user trust, yet in your world it's patient trust. And that certainly carries a lot of moral weight. How do you continue to deliver services and drive patient trust? How do you, you know, tagging onto the last question of how you build this culture across the org, how are you building a culture where privacy and safety are treated as inseparable?

B

So the importance of security doesn't exist without privacy. To be clear, we could have the most secure healthcare technology. However, if those secure communications, if those secure data shares the personal information of individuals, then it compromises the value of that healthcare technology. In fact, it will probably deter people from actually using that technology. And the same thing applies to patient safety. We can have the most secure healthcare Technology. However, if it undermines the privacy and safety of individuals, then it's very likely that people won't use that technology. And so that is why I believe privacy and patient safety are inseparable from security. Security is a means, one of the many means of achieving those objectives.

A

I think that's good. And I know that you live in this world every day. I don't envy you, right, the position of standing there and having to think about how you balance all these things. The other thing you have to balance is transparency. Right. We often talk here about how it's difficult to balance transparency after an incident. What have you learned about communicating risk and recovery in a way that preserves trust, also preserves confidentiality and safety and privacy?

B

Transparency and clarity are key. Care first has a crisis communication playbook. We emphasize early and honest updates, framing actions as proactive and member focused. Our communications avoid technical jargon. They focus instead on what matters to stakeholders. And that in our work is the continuity of care and the safety of individuals, perhaps at the most vulnerable times of their life, when they're sick and they need health care. And so I think that's been very important in communicating risk and recovery for our technologies. And in the event of cyber attacks,

A

I think that also goes hand in hand with something that you've championed, which is secure by design. So one of the ways to absolutely reduce your chance of an incident, right, is to have a philosophy of securing everything by design, securing everything by default. It's certainly not just technology, it's behavior. So what does that look like a practice for you? And how can other CISOs who listen to the podcast adopt that mindset?

B

So, Ann, there are absolutely practices that most cybersecurity professionals can iterate through, whether it is applying secure coding standards, whether it's using static code analysis as part of our development processes, running vulnerability scans on infrastructure, applying system hardening standards, or even just having design requirements for security at the start of a project. I think what's really important, though, is understanding how cybersecurity applies to the value your technology is trying to achieve, the value and purpose of this technology to the benefit of patience. And so if this technology is intended to, for example, manage diabetes for patients, whether it's an infusion pump connected to a patient, providing life saving medication, or it's a medication supply cabinet that provides life saving pharmaceutical drugs to patients, it's understanding the unique scenarios in a healthcare context where these technologies are applied and prioritizing that value. Because oftentimes in cybersecurity, we can try to protect Many things and then not protect what matters most.

A

That is so incredibly insightful because I do think that we spend a lot of time, we talk about it, right? We spend a lot of time playing what we call whack a mole, trying to defend against whatever the latest threat is or later projected threat, while we're leaving literally the keys to the kingdom unguarded. And we have to get better about guarding the keys to the kingdom in a lot of different ways. And certainly AI can be one of those defenses we deploy and it's going to have to be right. As we're evolving into the future, we have to contemplate how we deploy AI in a responsible and pragmatic way. When you think about AI and healthcare, there's also this focus on efficiency and insight and getting better insights out of data that improve health all up. How do you balance though, this promise of AI, particularly in healthcare, with the ethical responsibility to protect data integrity and also to protect patient privacy and autonomy?

B

Well, Ann, the AI at its core is technology. And technology is much like the human body. It is not perfect by design, it's not perfect. And in fact, over time it ages. But instead of disease and, and illness, software and technology produces vulnerabilities. And so we must accept that anytime we incorporate technology into health care, that we need to factor in those trade offs and ensure that over time we maintain that software and we breathe new life into it, that we feed it and nurture it the technology, and that we stay focused on the value every single time that we make a decision to use technology, in this case artificial intelligence. It's very important that we make a conscious decision to focus on what healthcare outcomes will be achieved through the use of artificial intelligence, accepting the possible risk as well that over time that AI will need to be nurtured, it will develop vulnerabilities, we will observe those vulnerabilities and new threats will emerge as well that we have to protect against. And it's an investment to ensure that we continue to drive that value that's achieved through the use of artificial intelligence. So I think taking a step back, Ann, there are also technical controls. I think for years some organizations have debated that have now become table stakes in the day of AI. And at one time it was whether or not organizations should adopt multi factor authentication. We know now that multi factor is a must do that in fact passwords are a source of vulnerability in themselves. And to go even further, that going passwordless is an imperative as well. And so I think when we look across the different technologies that we have in cybersecurity. That is another thing that needs to change in this day and age of AI and in the future of quantum computing as well, which will impact encryption for many organizations.

A

I think all of that is correct. I do think that encryption, quantum, AI, the world of cybersecurity is rapidly changing from the days when I started, when I was trying to, you know, early days at RSA Security, trying to convince people to use a token for multi factor authentication or strong authentication. And here we are in the year, going into the year 2026 and we're talking about how AI and password lists and passkeys are going to fundament harden the environment as we roll out things like quantum and quantum resistant encryption. So Rob this industry, one of the things I love about being in cyber is it moves just so fast. It just really does move incredibly fast.

B

Absolutely.

A

One of the things that stands out in your approach is you and I met with you. I've heard you talk about the human element, both patients and also your team and the team within the organization and culture. Can you talk a little about your people behind the mission? You've led global cybersecurity teams across multiple industries. What have you learned about teams that not only defend but also believe in the mission behind the work?

B

It goes back to what we were talking about. When it comes to how rapid change takes place in cybersecurity and all of the different types of cybersecurity threats that we need to focus on and protect against. It can be overwhelming. And in fact, healthcare, it's even more daunting because there is a patient at the end of everything that we do. And I believe that a purpose driven team always outperforms and it allows us to focus on where we need to pay attention and apply more pressure, apply more rigor in security. Care first emphasizes a human impact of cybersecurity and connecting technical tasks to patient safety and community health. As leaders, we cultivate this by sharing real world stories, investing in professional development and creating a culture around a mission at careforce that's making healthcare affordable and accessible to everyone. And as we've seen, cyber attacks in the past have incredible impact on the financial performance of organizations. Those dollars in health care, when there is a ransomware attack, those dollars that are spent on recovering systems can go towards achieving better healthcare outcomes for patients. And we can look at the cost of services in your local community. For example, whether it's non medical emergency transportation or transportation to the hospital, or it's a preventative colorectal cancer screening or if it's diabetic testing strips and getting a 30 day supply, there's a cost tied to each of those healthcare services. And when cyber attacks happen, it detracts from being able to afford those different types of services. And so I feel that is where you start to cultivate a sense of purpose. In my world of healthcare cybersecurity, it's a conversation around how our work impacts patients and their well being.

A

I love that, I love that you just tie it back to patients and their well being. And one of the things that you also have responsibility for beyond patients and the day to day operations of the program and the team is the board. You have to influence the board. CISOs are more and more frequently having to influence their board in healthcare. You're also influencing your clinicians, you know, doctors and nurses and medical professionals that just want to deliver care and don't want to be inconvenienced. You're having to influence policymakers and of course you're having to convince patients to trust you. When you think about all of that in context of cyber risk, how do you translate cyber risk into language that inspires action and confidence rather than making people fearful?

B

Well, in healthcare I believe we need to reframe risk as a shared opportunity for resilience using plain language and relatable analogies. Instead of fear based messaging, communications need to highlight empowerment. Your action protects health. The metrics and dashboards are designed to show progress, not just exposure. And so there is a sense of confidence that we need to have when we're practicing cybersecurity. And that allows us to be even more transparent around cybersecurity risks and the vulnerabilities. Because you can't protect what you don't know.

A

I think that's a great phrase that everyone has to actually keep remembering. You can't protect what you don't know. When I talk to CISOs and I'll say to them, what is your number one issue or what is your number one problem? And they all say visibility doesn't matter. Where in the world I am, doesn't matter, the size of company, doesn't matter, the industry. They are concerned about what they can't see. They are concerned about network devices, they are concerned about the rogue tenants. Now they're concerned about rogue AI, the agentic world, shadow agents. So thinking about that and thinking to the future, because we are going to see a proliferation of agents, we are going to see a proliferation of agentic to drive productivity, to drive research in your field, to drive better medical outcomes. If you could redesign the CISO role for the next decade, not the past decade, what would you change about how the role is measured, how the role is structured, structured, and how the role is empowered.

B

And I believe the future of the CISO should be measured on trust, outcomes and resilience, not just compliance. The role must expand beyond technology to influence culture, ethics and innovation, even as part of the overall strategy of an organization, even in the title. This job is no longer just about information security. And certainly empowerment comes from board level visibility and authority to shape enterprise risk postures holistically. I think that reporting structure to the board is incredibly powerful. I think the other part is the ability to peer into our lines of businesses and influence, have a seat at the table when it comes to decisions of how the company will change and provide different services into the future. Enabling technology, but also factoring in all these other forms of risk that may impact the value that we're providing to

A

people, to patients, I think that's really important. I think that's a really good construct for it. Well, Rob, we're coming to the end. I call myself a cyber optimist and I close every afternoon cyber tea with a bit of optimism because I know for everything that makes the news, we as an industry have blocked thousands of attacks. So despite the challenges, despite the innovations, despite what we're dealing with, with talent or AI or quantum, I also believe in the spirit of collaboration and innovation. That's one of the things that I am most optimistic about. I would love to hear what you are optimistic about when it comes to the future of cybersecurity.

B

And I'm optimistic as well. When I think back to 10, 15 years ago, many individuals didn't know what cybersecurity was and we are in a much different state of affairs today. There is much more collaboration than I've ever seen before. And I do think there's incredible value in having a collaborative approach to defense in this day and age of AI where we will see threat actors, they are using AI. I also have incredible confidence and optimism about how we're going to continue to use AI for our defenses in being able to prevent catastrophic events in cybersecurity impacting public health. And I think the convergence of technology and ethics offers a path to systems that are not only secure but equitable and human centered. I see more conversations happening around the ethics of technology now more than ever before. And again, that makes me very optimistic.

A

Rob, I really appreciate you making the time to join us today. It's always a pleasure to talk to you. You give such great advice and experience

B

and I just appreciate it and thank you so much. What an honor to be here speaking with you. I truly enjoyed this experience and many

A

thanks to our audience for tuning in. Join us next time on Afternoon cybertea. I invited Rob Suarez on the podcast. I've known Rob actually a very long time through a few companies, and now he's at a healthcare organization. He's a very thoughtful and insightful leader and I really knew that he was going to be an excellent guest and provide good insights and depth to the conversation. I think the audience will very much listen to what he has to say and enjoy it.