David Spark

What I love about cybersecurity. Go.

Janet Hines

I love learning about the business and going into all the little nooks and crannies of the business and finding out what makes it tick and what's important and how I can help.

David Spark

It's time to begin the CISO Series podcast.

Welcome to the CISO Series podcast. My name is David Spark. I'm the producer of the CISO series and joining me is my co host for this very episode. You all love him. He is the principal over at duha, none other than Andy Ellis. Andy, say hello to the audience.

Andy Ellis

Good afternoon, folks. Or good morning, good evening, or good night.

David Spark

And what language is that in, Andy?

Andy Ellis

That would be American English.

David Spark

American English.

Andy Ellis

Okay, because I said folks.

David Spark

Folks. Okay, if it was in British English, what would it be?

Andy Ellis

Blokes.

David Spark

Blokes. Okay, folks to blokes. All right, I liked it.

Andy Ellis

And if it's Australian English, it'd be mates.

David Spark

Ah, good point. All right. Our sponsor for today's episode is brand.

Sponsor/Guard Square Representative

New sponsor of the CISO series. It's Guard Square Mobile Application Protection. Multi layered protection unified with automated security testing. Detect threats in real time and trust that it's your app interacting with your APIs. More on just that a little bit.

David Spark

Later in the show. Andy, you want to know what my source is today?

Andy Ellis

What is it today?

David Spark

My issues today is my fish tank. So I have always had a fish tank. This I think the fifth one I've sort of. In all the years that I've lived since college, I've had a fish tank of some sort. And it was discovered that there was a pinhole leak through one of the seams, luckily at the top of the tank. So at the top third of the tank. And it was one of the things where literally a very slow drip and there was this big puddle on the floor. I'm like, oh, were you able to.

Andy Ellis

Put a ball into the pinhole?

David Spark

No, it's not.

Andy Ellis

And then seal it because then you'd have a pinball.

David Spark

No, no pinball, no ball. She's very funny. It's actually not far from where my pinball machines live, but so I did try good old fashioned gorilla glue that works on glass. That does not work at all. You need to literally fix a seam on the inside, while not easy when there's fish still swimming in the tank. So I've come to the position of I got to get rid of the fish. And most aquarium stores will take donations of fish, like when people have situations.

Andy Ellis

Or you could have sushi.

David Spark

That is true. I could have sushi. But I will tell you, these fish are not that big. There is not much meat on them. So amazingly, one of the aquarium stores I called, they were like, I don't know if we can take them. We have a big order coming in. And I'm like, aye, aye, aye. Forget you people. And I found another one that'll take them. It's just a little further drive, but that will be my project. And I'm putting them in a bucket and taking them to another fish store to donate them.

Andy Ellis

Your stories get fishier and fishier every week.

David Spark

Oh, and your jokes get lamer and lamer. All right, so now you know what I'm going to be doing later this afternoon.

Andy Ellis

Do you know something? Maybe someone will get them. We're recording this during Hanukkah, but maybe those will become a Christmas present for someone.

David Spark

Or it could be a Hanukkah. Cause we're on the last few days a Hanukkah.

Andy Ellis

It could be on the last few. I suspect at this point, you know, parents are not running out to get the Hanukkah presents for the seventh or eighth night, but could be.

David Spark

Well, not only that. Luckily this is, by the way, my most successful fish tank. And some of those fish in there are over two years old.

Andy Ellis

Wow.

David Spark

So nobody wants a two year old fish, I'll tell you that much.

Andy Ellis

Yeah, you should be sending them to like the assisted living facility.

David Spark

Yeah, but there's no way to look at a fish and know that's a two year old fish. I can't tell.

Andy Ellis

I don't know that I can tell other than by the smells. But you know, I mostly work with fish for cooking.

David Spark

When they're swimming, you really can't smell them.

Andy Ellis

Yeah.

David Spark

All right, let's introduce our guest. Thrilled that she's here, one of our absolute favorites. She is the CISO over at ChenMed, none other than Janet Hines. Janet, thank you so much for joining us.

Janet Hines

Hey, it's great to be here. Thank you.

David Spark

Understanding Security Sales.

What happens when a CISO tries to buy something? Andrew Beckerer, CISO at Sublime Security, recently detailed his Kafkaesque journey through vendor contact sales forms. Unlike the typical cold call outreach, Beckerer flipped the script. He actively sought out four vendors, filled out their forms with real details, and essentially gift wrapped himself for their sales teams. The results? One professional response, one display of chaotic inefficiency, one requiring a LinkedIn deep dive to find a human, and one that might be a honeypot. The irony that when you're ready to buy on your Own terms, vendors can't seem to answer the door. So what's really happening here? Is the vendor buying experience actually this broken? Or are security companies so focused on outbound sales that they've forgotten to handle inbound intent? And for you, I'm going to ask you, Andy, what's worked to actually get a vendor's attention?

Andy Ellis

The interesting thing here, I would love to know the size of the companies he did this with, and maybe I'll reach out and ask. Because what I often see is that companies treat their marketing team and their sales team as very separate entities. Right. There's a marketing pipeline that then kicks people over into a sales pipeline.

David Spark

Yes, I would agree.

Andy Ellis

And marketing owns the website. And so you fill out that form and you would think it's going right to somebody in sales, but instead it often is ending up in some queue. Now for outbound, because there isn't an inside or direct sales organization, especially in a smaller company. Once companies get larger, you would hope that somebody typing in that form, it goes right to a sales rep who's going to turn around and call you immediately and be like, hey, great, I'm very happy you're here. And in a mature organization, that is actually what you want to aim for. Your goal is to have everybody be inbound.

David Spark

Sure.

Andy Ellis

Because it means your marketing and messaging is working. People know you, they've done the research, they're coming to find you. But in reality, what's happening is we're trying to build these full service marketing sales organizations. We don't have enough people, we don't have people who even understand how that pipeline should integrate. And so somebody owns the website, they put in this form. And so you fill it in, it might just go to the content manager. And if they got laid off last month, maybe it's not going anywhere.

David Spark

Well, also, I would assume a lot of the stuff that comes through the form may be garbage and nobody wants to be dealing with it.

Andy Ellis

There's a ton of garbage there. The number of CISO communities I'm in where when a CISO wants to buy, they say, hey, who has a contact at.

David Spark

Right.

Andy Ellis

And then another CISO is like, oh, yeah, I'm a customer there. I'll introduce you to my sales rep. When I worked at Akamai, I would say I probably had one of those a week where a peer came to me and said, hey, I want to buy from you. Can you get me a sales rep?

David Spark

Right. And also someone you trust because you feel like if you go through the contact form, like, well, you're going to get the lowest of the lowest, probably.

Andy Ellis

Yeah. And it's painful because like in an enterprise company you have to go find the right sales rep. If I'm the CISO of the vendor and you want somebody, I have to go find out who's going to actually get the commission. And make sure you talk to them because otherwise the person who you first talked to is like, I don't get paid if we close a deal here because that's not my account.

David Spark

Good point. All right. Per Andy's description. Sounds pretty broken. Have you had this experience or colleagues, Janet?

Janet Hines

Well, I think you nailed it. I think what's happening is that they're so focused on banging on my door that they're not looking at their own door. Right. They just don't. They, they're all outward facing. And personally I've never filled out a form, I'll admit to that because I don't think they go anywhere. Who knows? You feel it, you hit enter and it's gone. And you get back that little like someone will be in contact with you. Thanks for your interest. And you never hear back. So I don't go there. I agree that it's a peer thing. Right. You really do need to find out who's who from your peers. And it's like navigating without a phone book. Right. You have no idea where to go. I sometimes I go on LinkedIn. It's a company that no one, I can't get a reference from another peer. But as a ciso, they're just hitting our doors. They're not looking at their own.

David Spark

Well, so okay, then my ask for both of you if the experience could be different or better than it is now that you don't have to do the end around to get the salesperson that's sort of qualified to handle you. What would you like to see instead, Andy?

Andy Ellis

Well, I would actually really love it if marketing teams were integrated more tightly into sales teams. I think that marketing teams have sort of tried to create this independence and it should be that. No, no, no. The website there has two different roles. One is brand and messaging, classic market function. But one is a sales function when somebody says I have intent that needs to go right to sales. Whereas right now the problem is sales doesn't trust marketing. So now it has to get vetted by marketing before they will give it to sales when you've already got somebody who's expressed intent.

David Spark

All right, Andy wants marketing sales more integrated. What do you want, Janet?

Janet Hines

I want there to be a Pathway. I want there to be an actual focus. Someone on the other end, right?

David Spark

That's.

Janet Hines

That's focusing on it and then. And saying, oh, they're coming to me. Let's. Let's pay attention to them. They're coming to us. Let's pay attention to them. This is really. This is actually the warmest call you could get, right?

Andy Ellis

It is.

David Spark

The great CISO challenge.

Quote, if your CISO reports to the same execration, who creates a risk? That's not oversight, it's hostage negotiation, end quote. Now, that's Joshua Copeland of Crescendo, who, by the way, puts a lot of unpopular opinions out there, and he really stirs the pot. So we love Joshua for this. So he dropped that bomb on LinkedIn recently, arguing that what we politely call alignment is really just containment. The same executive who overrides security control signs the CISO's performance review. He argues you can't empower security while keeping it on a leash. And if security leadership can't challenge the source of risk, it's not governance, it's theater. The question isn't whether this is a theoretical problem. It's whether CISOs can actually do their jobs when trapped in these reporting structures. If you're in one of these compromise reporting lines, what's your strategy for maintaining independence when your boss might be a primary source of risk? And have you been a part of this, Janet? Have you seen this? Have your friends seen this? What do you do in these situations? Do you agree with Joshua? Let me ask you that.

Janet Hines

I totally agree with him. In fact, I insist on not being part of that.

David Spark

Good.

Janet Hines

As far as when I look for roles, my last two roles, current role included, I am not in that line of command, and I'm a peer organization, which is much more helpful in getting things done. So you've got people listening to you that normally wouldn't even hear you. You'd be stifled, you'd be muffled, you'd be silenced. So I completely agree with him, and I think it should be the way CISOs report everywhere.

David Spark

Good point. So, well, you agree. So my question is, there are a lot that are under this reporting structure. In fact, I wouldn't be surprised if it's the majority. What do you do if you're in that? Like, let's just say you're stuck. You've definitely negotiated well for yourself, but others have not. What should they do?

Janet Hines

Well, I think they've got to find someone outside of that chain of command who can advocate for what they're trying to get Done. And sometimes it's the risk organization, sometimes it's risk management or enterprise risk. Sometimes it's legal, sometimes it's the chief financial officer. There are different places you can go to get that advocacy for what you're trying to do and to make sure it stays seen as a risk. It gets developed, it gets funded, and you are able to close down those risks. And the challenge is, as you raise is or as Joshua raises that performance review. Right. And so that you've got to get those same advocates in the room that you're not in. Right. Speaking up when it comes time for performance evaluations and during calibrations and of performance reviews, making sure those folks are advocates for you as well and understand what you're trying to do and support you.

David Spark

Very good. All right, Andy, the same question to you. A. Have you ever been in this? I don't think you have. Have you?

Andy Ellis

Well, actually, so the answer is yes. And I'm actually really glad I have an ottoman that my feet are on because as you're reading Joshua's words, I'm really glad I didn't get my feet really dirty there because, boy, was he shoveling it. All right, I actually disagree strongly.

David Spark

Let's hear it. This is what we like, but in.

Andy Ellis

A way that's nuanced. And first of all, the CEO creates all risk. And none of us are advocating that the CISO doesn't work under the CEO somewhere. So at some point you have to say, you do not have independent governance over the company. Like, that is not the role of the ciso. But the way that Joshua has worded this assertion, that's what would be required to solve this. The CEO ultimately defines your compensation. Now, that said, I think there's a lot of organizations where there is an operational executive, the CIO or maybe the COO who owns all technology and is sort of hands on that organization, then they bring the security underneath them. If you're in that role, you are not governance. You are security operations for that organization. You do not sit independently from them. You have to accept that and say, oh, look, my job is within this organization. What can I do? I need to learn psychology so that I can manage upwards and adjust the risk profile of this person. That I don't get to go independently and say, oh, oh, my boss is screwing it all up. Like, let's just be very clear. The correct answer to that situation is to pick up the phone, call Janet and say, hey, Janet, how did you determine where to take a job where you weren't gonna get stuck in this, because that's just part of the job. Now, if you're fortunate, you might have a larger span than your boss does. Like, I've been in that role where my boss had a narrower span over technology, and I had security governance across the whole company, including over my boss. And, yeah, it created a lot of tension. And the worst cases were where he would tell me, oh, yeah, we need to get this work done. I will tell your peer X to go do it. And then I'd go sit and talk to the peer. And the peer's like, no, I got told not to do this work. Right? And I've got a boss who's doing that. And then when I go back in front of the CEO with my boss in the room, like, well, this work isn't getting done yet because it's been deprioritized over here. And the CEO looks at my boss and says, well, you need to fix that. And my boss is like, oh, yeah, we'll fix that. And then nothing ever happens. At some point, you just accept that that's part of organizational dysfunction in the corporate world and say, what can I actually get done instead? Because here's the real secret. There is plenty of good work to do. Stop beating your head against the wall that you're not gonna break down.

David Spark

And I should also mention, and correct me if I'm wrong, whether you're underneath the CIO or not, you're still working with the cio.

Andy Ellis

Yes, absolutely. I mean, you should be working with everyone. What I love about security very much. Janet's cold open just hit for me the exact thing. You are the widest reaching executive in the company. You have to learn every line of business, everything that they're doing, and it is fun. If you don't enjoy that, go find another job. Because the real job is not how do I stop people from doing stuff, it's how do I help make them more effective in a safe way. And to do that, you get to be right up close with them. So you've got to have great relationships with every one of them.

Janet Hines

I completely agree with Andy that you really do have to pick your battles. And sometimes I find myself pushing a big boulder up a hill, and I have to stop myself and ask why there's so much more to do. There's so much to do. And so just really making sure you don't get stuck. And that's the only pathway and thinking about what else you can do that improves the security maturity of the company.

Sponsor/Guard Square Representative

Before I go on any Further, I do want to tell you about our spectacular sponsor, and that would be Guard Square. Mobile apps today have become an inescapable.

David Spark

Part of life, right?

Sponsor/Guard Square Representative

Ranging from financial services to healthcare, retail and entertainment. Users trust mobile apps with their sensitive personal data. But a recent survey showed that 72% of organizations experienced a mobile application security incident last year. And 92% of respondents report rising threat levels over the last two years. Meanwhile, attackers who want your user's personal data are constantly finding new ways to attack your mobile app. They reverse engineer it, repackage it, and distribute the modified app via phishing campaigns, sideloading and third party app stores. By taking a proactive approach to mobile app security, you can stay one step ahead of these attacks and maintain the trust of your users. That is where guardquare comes in. Guardquare delivers mobile app security without compromise, providing advanced protections for both Android and iOS apps combined with a mobile application, security testing to find vulnerabilities and real time threat monitoring to gain insight into those attacks. Discover more about how Guard Square provides industry leading security for your mobile apps@guardsquare.com just go to G-U a R D that's Guard S Q U A r e that's square guardsquare.com and when you go, let them know you heard about them from the CISO series.

David Spark

It's time to play what's Worse.

All right, Janet, I know you know how this game is played. Andy, I make him answer first. You agree or disagree with Andy. This comes from one of our favorites who I actually just saw in Austin, Texas not Too long ago, Dr. Dustin Sachs, who actually has his own new company called Cybercog Labs. So this is spanking new for him and this is a short one and I like this one. Get ready. What is worse, Andy? It's a third party with a mature security but zero transparency, total black box, or a third party with weak security but radically open about issues and gaps so you know where all their issues are. Which one's worse?

Andy Ellis

So I love this one and Dustin, this one's really good because I think there's an obvious answer, but I know a lot of people are going to disagree with me and those are, to me, those are sometimes the best. Where it comes down to what's my philosophy, right?

David Spark

This is totally a philosophy one.

Andy Ellis

Right? And in this case, honestly, much as it hurts, I want to, I'm going to say like the one that no transparency but great security, like, because at the end of the day I can just outbox it and I'm like, I don't know exactly how you're doing it. You're hard to interact with. But, man, you don't have breaches from you. I don't have problems. Whereas the vendor who tells me, oh, yeah, I'm a complete walking disaster, first of all. Now I know you're a disaster. So I've got a whole bunch of new issues that just popped up because I'm aware of the problem, but I've got to deal with it. But you're not going to improve, because that is rule number one is I don't get to alter the scenario. So you are my vendor, and you suck. And I know you suck, and you will never get better. Like, I have a hard time in that environment. Even if. Then when my auditors show up and say, well, do you audit all your vendors and know what they do? I get to say, yes. The next question is gonna be an ugly one. Well, have you fixed them? No. So I'm gonna go with the transparent but bad vendor is the worst scenario. But I really love this one, Dustin. Cause I suspect we have a lot of listeners who are gonna gravitate the other way that they don't like the lack of transparency.

David Spark

I bet you Mike Johnson would have said the opposite. Because he likes to know. He likes to know.

Andy Ellis

Well, let's see what Janet goes with.

David Spark

Janet, agree or disagree with Andy here?

Janet Hines

I completely agree with Andy. Because once you know, you know, and you can't unknow, and then you've got to deal with all of it. And if you've got a nice, tight, clean vendor that says, hey, here's all my reports, I'm wonderful, but I'm not. You can't look under the covers. Okay. You know, I've done the due diligence I can do.

David Spark

I mean, heck, a lot of security is trust. So you get to a point of like, well, we're just going to trust them, and that's how it's going to go. And we're done with that. Even though we really can't see what the heck they're doing.

Andy Ellis

Yeah. And look, I'll be honest. I started my career that way when I was early days of Akamai, and I'm doing sales calls. I'd have customers start asking details, and I just didn't even want to answer them. And so I would at some point be like, look, we're just stopping here. Over time, I got to look, I'll tell you pretty much anything as long, like, I'm not going to tell you exactly what keys we used to log into our deployed network. But I'll tell you the size of them, I'll tell you the algorithm, whatever, because 99 times out of 100, that just ended the conversation right there. And it wasn't anything that an adversary couldn't mostly figure out anyway. So I like, we all know that transparency is. Is good, but good security is better.

David Spark

So it's interesting you say that. And I'll throw this to you and Janet for the final comment. This whole show is about security. The whole network is about security. But we spend more time talking about the subtext, which is essentially, are you transparent? Do you know what's going on? Because if you don't know what's going on, you know the classic thing we hear from all these vendors about you can't secure what you don't know. We're so obsessed with the second level and not the top level that often we just go, hey, if it's secure, be happy with that. What do you think?

Janet Hines

Yeah, no, I think you're right. And I think it's because depending on who you're working with as a third party, what your experience has been. Right. Have you experienced that you need to dive in deeper because you've got these people who are very transparent but don't have a lot of security versus just saying, these guys got it together, they know what they're doing. I can back off because I think we're almost programmed to just keep diving in and diving in and diving in.

Andy Ellis

Yeah.

Janet Hines

And we don't know when good enough is good. Right?

Andy Ellis

Well, and I think the key on that one I have to keep diving in is I've had a number of customers in the past who just kept pushing on transparency. They wanted more and more and they wanted real time. It's like, I want to know exactly the software on every one of your devices all the time. I was just like, no, partly because I don't want to deal with your questions because I know that it will not end there. Then you'll be like, well, why are you using this version? Why didn't you patch it on Sunday instead of instead of on Monday? And why didn't you? And you'd be so wrapped around this, like, micromanagement through transparency. And so as a vendor, honestly, like, there is a limit of, look, I will tell you my controls, but I'm not giving you real time visibility into the operating model on my platform.

David Spark

Well, many of the vendors are trying to sell that very concept of real time visibility.

Andy Ellis

They sell that they will Give it to you, but they don't actually.

David Spark

It's time to measure the risk.

Buy or build is a familiar dilemma in cybersecurity. Does it even extend to risk methodologies? Rebecca Brock of Safe Security had a discussion after the FAIR conference with someone considering building their own risk quantification methodology from scratch rather than adopting fair. Now, what's gain versus what's lost when you abandon a standardized model that's been tested, refined and broadly understood across the industry? Fair isn't a new kid on the block when it comes to risk quantification. Yet plenty of security leaders remain skeptical or feel it doesn't fit their needs. So I'm going to start with you, Janet. Have you seen a roll your own risk methodology actually work long term? And what did it take to build and maintain it? When does build vs buy work, not work with risk models?

Janet Hines

I have not seen a homegrown or built a homegrown risk model. I don't understand why you would. I get that there are nuances of risk models that you may need to adopt or focus on more or less depending on the industry you're in and where your risk lies. But you also. What I think you lose is you lose the ability to really do that cross industry comparison.

David Spark

Good point.

Janet Hines

You don't have the same framework. I imagine you would be constantly having to map your custom homegrown risk levels to a standard so people would understand them.

David Spark

All right, Andy, I know you have a lot of passionate opinions about man.

Andy Ellis

This is like red meat for me.

Sponsor/Guard Square Representative

Yes.

Andy Ellis

Because I'm on the complete opposite side. I actually think that there are too many people who have a religious fixation with fare and it needs to stop in our industry. Like, let's just be very, very clear. If you actually think that for most organizations you're going to be able to walk in and put price tag on a risk project and say, oh, this is a $75 million risk and we've got to fix it. You're going to get laughed out of the executive room. Just start with that one. These are not actuarial problems. You cannot take the actuarial methodology that works in insurance, that deals across large populations and apply it to singular individual risks. What FAIR is useful for is if you have a coherent model of your entire system space massive if there then FAIR is relatively useful in helping you highlight specific components that generate outsize risk by comparison to other components. Right. And you might say, oh my God, like all of the biggest things that have come up. When I ran this through Safe Security in this case, since that's our sales rep is saying this, oh, wow. I can just walk in and point out, but I should be able to tell the story. I don't need to say it's a $75 million risk. I should be able to say, we have this critical library exposed to the public on our web server that can write directly into our production system. We should hide that. And everybody would be like, oh, yeah, you should do that. That makes sense. Okay, great. Thumbs up. Let's go solve the problem. So I actually think that you should use whatever risk methodology you can use that will cause people who make decisions in your company to make better choices. If that's fair, more power to you. But. But in most companies, it is not going to be fair. It's not even going to be anything. That's risk quantification. It's going to be risk qualification. And if anybody wants more on this one, I'll do a little, you know, shameless promotion, go over to howtocso.com, pull up volume two on risk, and I walk through, like, every risk methodology that's out there, both quantitative and qualitative, where you should use them, which ones you shouldn't, and how to be really precise in your language here, but I strongly disagree with the premise here, but you might be lucky and find a company that loves Fair.

David Spark

No, the premise was essentially, when do you build your own? When do you go with a model?

Andy Ellis

Well, no, the premise was you shouldn't build your own. This was a very leading question.

David Spark

Well, of course she's with Safe Security and then she's supporting Fair, of course.

Andy Ellis

Right. The answer is you build your own when that's what will resonate with executives. I have built my own before. In fact, in my ebook is the one I built, which we called the Pyramid of Pain, because that's what it was like. Building it was a lot of pain. But the CEO would not accept any existing risk methodology because they all had fundamental flaws. This was not his blind spot. This was. The people who'd written the methodologies fundamentally did not understand how business makers make decisions.

David Spark

But let me go back to what Janet said earlier. How do you compare yourself to others?

Andy Ellis

The point is you don't compare. Compare yourself to others except in very specific industry paces. Like you're in healthcare. What you're often going to do is say, hey, look, I have a vendor that assesses me and I am 95th percentile in my industry. That's the comparison. You don't come in and say, I'm a 7.2. You say I am better than average. I am worse than average. That's mostly what your peers, what your executive peers want to hear.

Janet Hines

That's the comparison that I'm always asked for across industries. How do we compare to our peers?

Andy Ellis

Right? And your answer is, you get whatever your vendor is. You say, hey, give me the industry metric and my metric with you. And it doesn't actually matter what the metric was as long as you can give a comparison against the measure of central tendency for your industry.

David Spark

Unexpected outcomes or failures.

3:00Am Heart attack patient system locked out. A doctor needs patient history now, but the system demands password reset. Two Factor authentication and manager approval. All unavailable at three in the morning. Nadine Michelides of Anima People posed this impossible follow security rules and let the patient die, or break security rules to save a life and create a compliance nightmare. The scenario describes using a colleague's login to access critical information and save the patient, only to face security violations and HIPAA concerns afterwards. Rather than create an oppositional relationship, security leaders need to engage with doctors about what they need in situations like this. But more broadly, how do you design security when the cost of denial isn't just data loss, but actual lives or catastrophic business failure? Janet, you are in the health industry. I ask you this. We've heard this type of scenario before. Let me just ask you, does it actually happen? I mean, is this a real scenario that happens where essentially technology is preventing healthcare workers from doing their job?

Janet Hines

Well, certainly at my company, it's not life or death. I just want to state that in my current company. However, in this scenario, if I was given this scenario in my role, I would say it's the lives of the patients over everything else. Right? I mean, that's, that's why we're in healthcare, period. And for security violation and HIPAA concerns, there's certainly exceptions that can be documented and taken care of. Again, we talked about transparency, right? As long as you're transparent and you get right on it, there's just no reason anyone would choose security over the life of a human being.

David Spark

But, but, but this is the thing is, I've heard these stories before. Do you just. In your colleagues and stuff, do you know, does this actually happen where someone gets locked out of a system and they need to take care of a patient? Does this actually happen? Or is this a more fictional thing that doesn't happen? I don't know.

Janet Hines

Well, I mean, there's lots of different ways around that. I just, I wouldn't say that this Is something that I would say it's more fictional.

David Spark

Okay.

Janet Hines

If I had to make a choice. And because. And the reason being is it's not just one human being that has the information about another human being. Right. The doctor is not the only provider that has information about a patient. So there's other ways to get that information.

David Spark

All right, good point. All right, Andy.

Andy Ellis

But I think the core premise, which is there are security rules that get implemented that impede the healthcare practitioners from doing their job of taking care of patients, is absolutely true. Like, I know a story of a hospital that disabled the ability to print patient records. Right. Because they didn't want someone to print the patient record and take it out of the building. But the terminals were not in the patient's rooms, so they were expecting nurses to memorize what they had seen and walk into the room. So since they had disabled direct print out of the record, but they were still in computers that had a print screen button. And so that's what would happen is the nurses would go to the nurse station, hit print screen, and now they're printing more than what was in the report that they actually needed to record vitals or whatnot. And so recognize that the humans are going to work around your system.

Janet Hines

Yeah. Or worst case, they're going to take a picture of the screen with their personal phone and now they got Phi, you know, somewhere else. Right. They're all going to work. There's workarounds for everything. Right?

Andy Ellis

Yeah. But here's the mindset that I like to give people for incidents, which is sort of the initial phrasing if we accept the movie plot scenario here, which is the way you should think about incidents, is incidents give you a credit card. Right. And the worse the incident is, the higher the limit on your credit card is. And in a sense, what the credit card is doing is buying new incidents that if you have the disastrous incident, like there's a patient life on the line, you have a credit card where you get to create any incident you want that does not affect another patient's life. Like, I'm saving the life. Yeah. I can create a compliance nightmare all I want, clean it up tomorrow. I can break systems, I can violate every rule there is, as long as it is not as bad as what I'm currently cleaning up. And if you walk into that mindset, right.

David Spark

And you've got, essentially you've got the credit card limited the budget, and the whole thing is that we can have, by the way, I love the credit card metaphor here, is because there are Some people who pay their credit cards every month and some who do not.

Andy Ellis

Right, right. But in this case, your credit card is just measured in lower severity incidents. I got a severity one incident. I got the severity two credit card. I can walk through and create severity two, inc. All I want to fix the severity one problem. And then now we'll take severity three incidents to fix the severity two incidents until you've got this all cleaned up. It's a great mindset for incident responders. Like this question, even if it was real, if Janet said, oh, my God, yeah, this happens all the time. But nobody is going to come up with a different answer than Janet came up with, which is, of course, you saved the patient's life.

David Spark

Yes.

Andy Ellis

Like nothing else matters at that point.

David Spark

Well, and you say it's mostly fictional. My guess is, because I'm sure you've heard these scenarios before, this is all designed to say, we want to win this way. Yes, Janet, you see what I'm saying, that they come up with these scenarios and where everyone goes, yeah, of course we're going to save the human's life. But they're created to say we're more important. We have to take control of this conversation. I'm just throwing that as an argument. Does that happen?

Janet Hines

I'm sorry, David, I'm not following what you're asking me. I think I got a little lost.

Andy Ellis

Yeah, I think we're. Let me re. Ask David's question, because David's saying, when you're designing the system, you're going to roll it out. And you have the operator in this case, the physicians.

Janet Hines

Yep.

Andy Ellis

The doctor, the doctors. They'll put in place this scenario. Now, David's doing it as a part of their ego to say, well, we're more important. We refuse to listen to you. No, I've had people put out this scenario to say, you, you don't understand the business. Why are you proposing dangerous things? If someone said, oh, look, if you get locked out, you have to go take an hour before to get yourself unlocked out before you can return to work. Anybody who said that to a physician should rightfully be disregarded from any conversation in the future. And if you're being disregarded in that way, that's not ego on the other person's side. That was your ego that created that problem, that you thought you knew better than the operator, how they should do their job without ever walking alongside them.

David Spark

All right, Janet, your take, Andy. Thank you for explaining.

Janet Hines

So my take on this is, you've got to understand what the doctors need and when they need it. And you've got to also think about resiliency. Right? So whether it's a system lockout or it's a system down or it's whatever, there's got to be. And especially in healthcare, there's gotta be resiliency built in so that, you know, you don't have to say that that data base, that system, that application is what's going to save access to that, is what's going to save the patient's life. There's got to be resiliency. And that's a whole other topic, correct?

Andy Ellis

Absolutely.

Janet Hines

Yeah. Yeah. But I totally agree that you've got to understand where the physicians in this case, in this scenario, you're talking about where the physician's coming from, what they need, and they're the expert, not me.

David Spark

Good point. All right, that brings us to the very end of the show. I want to thank you, Janet hines, who's the CISO over at ChenMed, making sure that she's never put in one of these fictional scenarios at all. She's never in it, but she supports it 100%. Yes, we're all here at the CISO series. We are all for saving lives. And that's what we do here at the CISO series. Would you agree, Andy?

Andy Ellis

Oh, absolutely. Our goal is to save lives, mostly your life, so that your executives don't strangle you for coming up with bad ideas.

David Spark

There's always one way that we're figuring that out.

Sponsor/Guard Square Representative

Huge thanks to our sponsor, and that would be Guard Square. Remember, go to their website, guardsquare.com for mobile application protection. Multi layered protection unified with automated security testing. Detect threats in real time and trust that it's your app interacting with your APIs. Guardsquare.com thank you for sponsoring the CISO series.

David Spark

Huge thanks to you, Janet, for coming. Any last words you'd like to say.

Sponsor/Guard Square Representative

To our audience about anything for that matter?

Janet Hines

Well, I want to make a shameless plug for a book that I wrote.

Sponsor/Guard Square Representative

Oh, yes. Yeah.

Janet Hines

Called Go Ahead, Ask for It. It's available on Amazon and it has nothing to do with security.

David Spark

What is Go Ahead, Ask for It about?

Janet Hines

It's about taking control of your career or it also, you know, helps with your personal life as well. Going ahead and asking for things you want. And I don't mean like, may I please have or will you please. It's having the backing and the credibility to ask for what you want in your life.

David Spark

I love it. And by the way, Andy wrote a book that has nothing to do with CyberSecurity at the 1% leadership. So we will link to your book, we'll link to Andy's book. Why not? We've done that before. Thank you very much Janet. Andy, as always, we appreciate you as well and we appreciate our audience. Huge thanks to our audience. We greatly appreciate your contributions and listening to the CISO Series podcast that wraps up another episode.

If you haven't subscribed to the podcast, please do. We have lots more shows on our website, cisoseries.com Please join us on Fridays for our live shows, Super Cyber Friday, our virtual meetup and Cybersecurity Headlines Week in Review. This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you're interested in sponsoring the podcast, contact David Spark directly@Davidisoseries.com thank you for listening to the CISO Series podcast.