A (16:12)

Today I am thrilled to welcome Rob Suarez, Vice President and Chief Information security officer at CareFirst Blue Cross Blue Shield. Rob, welcome to Afternoon Cybertea. One of the things that stands out in your approach is you and I met with you. I've heard you talk about the human element, both patients and also your team and the team within the organization and culture. Can you talk a little about your people behind the mission? You've led global cybersecurity teams across multiple industries. What have you learned about building teams that not only defend but also believe in the mission behind the work?

C (16:46)

It goes back to what we were talking about when it comes to how rapid change takes place in cybersecurity and all of the different types of cybersecurity threats that we need to focus on and protect against. It can be overwhelming and in fact healthcare, it's even more daunting because there is a patient at the end of everything that we do. And I believe that a purpose driven team always outperforms and it allows us to focus on where we need to pay attention and apply more pressure, apply more rigor in security. Care first emphasizes a human impact of cybersecurity and connecting technical tasks to patient safety and community health. As leaders, we cultivate this by sharing real world stories, investing in professional development and creating a culture around a mission at careforce that's making healthcare affordable and accessible to everyone. And we've seen cyber attacks in the past have incredible impact on the financial performance of organizations. Those dollars in healthcare when there is a ransomware attack, those dollars that are spent on recovering systems can go towards achieving better healthcare outcomes for patients. And we can look at the cost of services in your local community. For example, whether it's non medical emergency transportation or transportation to the hospital, or it's a preventative colorectal cancer screening, or if it's diabetic testing strips and getting a 30 day supply, there's a cost tied to each of those healthcare services. And when cyber attacks happen, it detracts from being able to afford those different types of services. And so I feel that is where you start to cultivate a sense of purpose. In my world of healthcare cybersecurity, it's a conversation around how our work impacts patients and their wellbeing.

A (19:01)

I love that, I love that you just tie it back to patients and their well being. And one of the things that you also have responsibility for beyond patients and the day to day operations of the program and the team is the board. You have to influence the board. CISOs are more and more frequently having to influence their board in healthcare. You're also influencing your clinicians, you know, doctors and nurses and medical professionals that just want to deliver care and don't want to be inconvenienced. You're having to influence policymakers and of course you're having to convince patients to trust you. When you think about all of that context to cyber risk, how do you translate cyber risk into language that inspires action and confidence rather than making people fearful?

C (19:44)

Well, in healthcare I believe we need to reframe risk as a shared opportunity for resilience using plain language and relatable analogies instead of fear based messaging communications need to highlight empowerment. Your action protects health. The metrics and dashboards are designed to show progress, not just exposure. And so there is a sense of confidence that we need to have when we're practicing cybersecurity and that allows us to be even more transparent around cybersecurity risks and the vulnerabilities. Because you can't protect what you don't know.

A (20:27)

I think that's a great phrase that everyone has to actually keep remembering you can't protect what you don't know. When I talk to CISOs and I'll say to them, what is your number one issue or what is your number one problem? And they all say visibility. It doesn't matter where in the world I am, doesn't matter the size of company, doesn't matter the industry, they are concerned about what they can't see. They are concerned about network devices, they are concerned about the rogue tenants that now they're concerned about rogue AI. Right. The agentic world shadow agents. So thinking about that and thinking to the future, because we are going to see a proliferation of agents, we are going to see a proliferation of agentic to drive productivity, to drive research in your field, to drive better medical outcomes. If you could redesign the CISO role for the next decade, not the past decade, what would you change about how the role is measured, how the role is structured, and how the role is empowered?

C (21:23)

And I believe the future of the CISO should be measured on trust, outcomes and resilience, not just compliance. The role must expand beyond technology to influence culture, ethics and innovation, even as part of the overall strategy of an organization, even in the title. This job is no longer just about information security. And certainly empowerment comes from board level visibility and authority to shape enterprise risk postures holistically. I think that reporting structure to the board is incredibly powerful. I think the other part is the ability to peer into our lines of businesses and influence, have a seat at the table when it comes to decisions of how the company will change and provide different services into the future. Enabling technology, but also factoring in all these other forms of risk that may impact the value that we're providing to people, to patients.

B (22:35)

Be sure to check out the complete afternoon cybertea podcast wherever you get your favorite shows. It is always my pleasure to welcome back to the show Tim Starks. He is a senior reporter at cyberscoop. Tim, welcome back.

D (23:01)

Good to be back.

B (23:02)

So Tim, I feel as though these past few days, past week or so, you have been really putting the scoop into the cyberscoop name with some of the stories you've been publishing here. By my account, certainly you were the first that I saw in my review of the news who had this story on Mr. Ghatamukala out as the director or acting director of CISA.

D (23:26)

Yeah, I think there was another outlet that got there first. But in terms of Cyber World. Yeah, maybe we're the first people to write about it. It's a big deal. Obviously. You know, Dr. Gautamikawa has been leading the agency for quite a time now and you know, the reviews were not stellar. Yeah, I would say maybe that's an understatement.

B (23:48)

Well, it just struck me as maybe not being a good fit. Do you think that's a good way to frame it?

D (23:55)

Yeah, I think, you know, he went from the chief information officer of a small state to running a multi billion dollar agency. And you know, the people who have said nice things about him will say that he's got a good technical background, but suddenly he was doing A lot of policy stuff and doing a lot of kind of big level things that maybe he wasn't equipped to do. You know, there were the stories in Politico that were pretty damning about his use of ChatGPT and him not passing a polygraph. You know, one phrase that somebody used to describe his leadership to me was amateur hour. You know, it feels strange to. To talk about someone else in those kinds of stark terms, but those are the terms people use to me. Well, yeah, he. He wasn't. He didn't have the experience. He didn't have the background. You know, he's leaving to go take a DHS role. That sounds more like the kind of role he'll be good at. So we'll see how that works out.

B (24:53)

So stepping in for him is Nick Anderson, who was executive Director for Cybersecurity at cisa. Do I have that right?

D (25:02)

You do, yeah. And he is someone who I think people are enthused about. He's someone who has been doing a lot of work, I mean, a lot of the public facing work that CISA has been doing, he's been the one doing it. He's been the one leading the background calls. I don't mean on background. I mean the calls with reporters to talk about binding operational directives. He's got both a tech and policy savvy. He has a good reputation. Beyond that, I don't think people think of him as, you know, one of the things that people dinged Dr. Gautamakola for was that they, you know, on the Hill, people thought he was kind of hiding a reorganization plan from them. Whether that was justified or not, that's. But that was the perception. I don't think anybody thinks of Nick Anderson as a dishonest broker right now. Certainly he's had to deliver some news about the future of the agency that wasn't well received because it was involving cutting back on missions. But I don't think anybody thinks, oh, this guy is a problem. Right. I think they think he's a sharp operator.

B (25:57)

That's the impression I've gotten. I haven't had the opportunity to speak with him, but pretty unanimously, the folks I know who have worked with him have been impressed. And as you say, they're looking at him as being a sharp operator and I think looking forward to his leadership.

D (26:19)

Yeah. I think if, you know, it would have been interesting maybe to see what the CISA leadership would look like if it was as intended. Where Shawn Plenky was there as director and Dr. Gatta McCullough was there as deputy director, maybe that would have been a better situation than we've ended up with. I don't know. But when I think of the kind of person who probably should be the acting director based on their abilities and everything, I think that Nick Anderson makes perfect sense.

B (26:44)

Well, let's wind the clock back an extra day or so to the report that you put out that was categorizing SISA as being in real trouble here.

D (26:56)

Yeah. So I, you know, I heard from a couple people this, you know, may have played a role in what? In the decision making. I don't know if I don't know for sure, but I've heard from a couple different people that it did. It was a pretty comprehensive look at where CISA is as an agency. And normally with stories like this, when I'm calling people who I think are going to be maybe want to cheerlead the administration.

B (27:18)

Right.

D (27:19)

Like a Republican in Congress or people in industry who like the idea of a less regulatory approach to cyber, normally I would expect them to lead with this is what CISA is doing. Well, we wish they would do these things better also. Instead, it was pretty much, CISA's not doing this well, CISA's not doing this well. CISA is not doing this well. And I literally got to the point in a call with one industry person, I'm like, what is CISA bringing to the table right now? And that person just said it. It's hard to think of anything good to say right now. It's an agency that has lost a third of its personnel. It's lost a lot of its expertise. You know, not just losing volumes of people, but losing people who have been at the agency for a very long time. And that's led to a loss of capabilities. I mean, from things like international relations, things like providing services to state and local government, election security, coordination with industry. A lot of people in industry say they can't get meetings with CISA because there just aren't the bodies in place. It's a pretty dire circumstance to pretty much everybody I spoke to, except for one who was, I think, being a little bit more optimistic than others. But I talked to lots and lots of people and almost everybody 201 was like, it's in bad shape. And maybe even in harsher terms than that, obviously.

B (28:27)

Yeah. It strikes me as really being a tough time to be a good faith public servant these days at places like cisa.

C (28:36)

Yeah.

D (28:37)

And, you know, I think you and I talked about this briefly before, but you know, there might come A point where. And people have talked about hoping this will be the case, that when CISA has its full leadership, they will staff back up. Maybe they will, maybe they won't. I don't know. But there are legitimate worries about who would want to go work there. You know, the way they push people out, you know, some of the stuff didn't even make the story about them doing management directed reassignments. MDRs, I believe is the acronym. Sending people to parts of the country they don't want to work for. Working and short notice, giving them basically ulterior motives. Not ulterior motives, but like, ultimatums to say, you got to do this or you can't work at cisa. And so a lot of people said bye, and a lot of people didn't like being treated that way. There was a sort of a grim note toward the end of my story. I was talking about what is the cause for optimism for CISA right now. And Jim Lewis said, you know, on the plus side, for cisa, it's a bad labor market.

B (29:31)

Wow.

D (29:35)

That's kind of a rough situation to be in when that's good news.

B (29:38)

Right?

D (29:39)

People might be desperate.

B (29:41)

Yeah.

D (29:41)

You know, I consider myself something of a patriot. I want America to succeed. I write these stories because I want to call attention to things that could be better and need to be better.

B (29:49)

Right.

D (29:49)

So I'm hopeful that that is not the case. I'm hopeful that they won't just get desperate people. I hope that they'll get qualified people. And again, that's if they build back up. You know, the other big problem, of course, is that, is that the Trump administration and his allies have hated this agency for a very long time now.

B (30:05)

Well, I want to call attention to that because as you point out in your article, you write that Trump has harbored animosity to Issa since 2020. And I feel like that shadow just looms over the agency almost like an albatross around their neck that they just can't get out of the way. Maybe a better way to say it is that shadow hangs over their mission.

D (30:27)

It definitely does. The leadership in the first Trump administration, for the most part, until the very end, they steered clear of anything. I think that could have ticked off Donald Trump. And then in 2020, during the elections, they did the fact checking, and then the administration was about to end. So maybe that was a carefully chosen timing to do that, to keep their heads down and not do things that would draw his ire. Because a lot of their work that they do, it could run afoul of him if they just do their jobs. Right, Right. So I think there were things they avoided doing. It's hard to talk about this president sometimes, but he's not someone who necessarily keeps grudges for rational reasons. I guess I should say there's no obvious logic sometimes to why he's mad about something. And because of that, maybe you could say, oh, Sean Planky's at the table. If they have a full time leader who was picked for this job, maybe he can earn that trust. It's hard to see Trump suddenly deciding he likes this agency. He's been mad at them for five years.

B (31:27)

Right.

D (31:28)

He's going on six years. He's mad at them. So how is he going to stop being mad at them? I don't know. I guess he stopped being mad out of nowhere at people sometimes. Think about how he talked about Mamdani before the election and how he talks about him now. Maybe, but it seems like it's a, I think a shadow that you, the phrase you used is a really good term for this. It's maybe not completely in dark forever, but it's certainly in that shadow now and it's hard to see how it gets out.

B (31:55)

Well, I mean, to go towards the positive here, to wrap things up, do you suppose that having Nick Anderson at the controls here might provide a little boost in people's attitudes at the agency?

D (32:10)

Yeah, I think so. And one of the reasons is kind of dividing up a story like I did. How do I divide it up? Right. How do I write about what parts? And there was a lot of blame for Congress about this, by the way. The Trump administration has done a lot of things to cisa, but the Congress has done a lot of things to not help cisa. And then another big portion of it was that the current leadership has not been doing a good job. It was a consensus view. So I think, yes, if you have someone in the job that people think highly of, it stands to reason that they'll fare better. And the reasons that Dr. Gandmakala's leadership were frowned upon weren't just because they didn't like him. Although some people, I think that was the case. It was the job that he was doing. People didn't like the job he was doing and that made them not like his leadership. So if you bring someone in who has shown some capabilities to do the kind of things that I think people think CISA needs to do, then maybe, you know, different decisions are made. Maybe there are fewer distractions. Maybe you can focus, you can really focus on the mission and try to do the things you can still do well. And there was a portion of the story where we talked about the things that CISA is still doing and doing well. So, you know, I think it stands, it does stand to reason that things will be better off probably under Nick Anderson, I'm going to go ahead and steal it from you before you say it. Time will tell,

B (33:29)

it always does.

D (33:32)

But I think. I think that's a reasonable projection about how things might go.

B (33:36)

Yeah. Tim Starks is senior reporter at cyberscoop. Tim, thanks so much for taking the time for us.

D (33:42)

Thank you, Dave.

B (33:56)

When it comes to mobile application security, good enough is a risk. A recent Survey shows that 72% of organizations reported at least one mobile application security incident last year, and 92% of responders reported threat levels have increased in the past two years. Guard Square delivers the highest level of security for your mobile apps without compromising performance, time to market or user experience. Discover how Guard Square provides industry leading security for your Android and iOS apps at www.guardsquare.com. Ever wished you could rebuild your network from scratch to make it more secure, scalable and simple? Meet Meter, the company reimagining enterprise networking from the ground up. Meter builds full stack zero trust networks, including hardware, firmware and software, all designed to work seamlessly together. The result? Fast, reliable and secure connectivity without the constant patching, vendor juggling or hidden costs. From wired and wireless to routing, switching, firewalls, DNS security and vpn, every layer is integrated and continuously protected in one unified platform. And since it's delivered as one predictable monthly service, you skip the heavy capital costs and endless upgrade cycles. Meter even buys back your old infrastructure to make switching effortless, transform complexity into simplicity, and give your team time to focus on what really matters, helping your business and customers thrive. Learn more and book your demo@meter.com cyberwire that's M E T E R.com cyberwire. And finally, Microsoft's grand AI makeover of Windows 11 has earned it a nickname it probably didn't workshop in Redmond Microslop, the label born of frustration over what many users see as AI ambition. Outpacing operating system polish has spread briskly across social media. Microsoft cannot stop the meme everywhere, but it can try on its own turf. Users discovered that the official Copilot Discord server automatically blocks messages containing Microslop, replacing them with a polite moderation warning. Predictably, this only inspired creativity. Variations like Microslop with a zero instead of an O slipped past the filter in a classic Internet game of cat and mouse. As users pushed the joke further, some accounts were restricted and parts of the server were locked down. The episode underscores a broader tension. Copilot does offer genuinely useful features, but Microsoft's AI first strategy has left it juggling innovation, optics and an increasingly mischievous audience. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment on Jason and Brian's show. Every week you can find Grumpy Old Geeks, where all the fine podcasts are listed. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's lead producer is Liz Stokes were mixed by Trey Hester with original music and sound design by Elliot Heltzman. Our contributing host is Maria Vermazes, our executive producer is Jennifer Ibin, Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Foreign. If you only attend one cybersecurity conference this year, make it RSAC 2026. It's happening March 23rd through the 26th in San Francisco, bringing together the Global Security Conference community for four days of expert insights, hands on learning and real innovation. I'll say this plainly, I never miss this conference. The ideas and conversations stay with me all year. Join thousands of practitioners and leaders tackling today's toughest challenges and shaping what comes next. Register today@rsaconference.com cyberwire26. I'll see you in San Francisco. Most security conferences talk about Zero Trust. Zero Trust World puts you inside this is a hands on cybersecurity event designed for practitioners who want real skills, not just theory. You'll take part in live Hacking labs where you'll attack real environments, see how modern threats actually work, and learn how to stop them before they turn into incidents. But Zero Trust World is more than labs. You'll also experience expert led sessions, practical case studies, and technical deep dives focused on real world implementation. Whether you're blue team, Red team, or responsible for securing an entire organization, the content is built to be immediately useful. You'll earn CPE credits, connect with peers across the industry and leave with strategies you can put into action right away. Join us March 4th through the 6th in Orlando, Florida. Register now at ztw.com and take your zero trust strategy from theory to execution.