D (2:08)

Thank you. Yeah, happy to be here.

C (2:09)

So, Ed, let's just kick it off here.

D (2:11)

All right, John.

C (2:13)

Yeah. Talk to me a little bit about what you're seeing for third party risks and how that manifests across the industries you're involved with, like healthcare, supply chain and financial services.

D (2:24)

Yeah, well, third party risk, you know, if you look at the last couple decades in healthcare in particular. And so, and I've done, you know, this is my 11th company, I've done many other industries. It wasn't until recently that I actually entered into healthcare back in 2009, 2010. And what I found was, and because I typically focus on disruptive technology, I found that everybody was five years ahead of healthcare. So they had the infrastructure to support disruptive technology. And healthcare was always behind up until 2009 when the Obama administration put a lot of money out there for the healthcare industry to change. And basically think of it as a forklift upgrade to their infrastructure. Right. So they could get off a paper and onto electronic medical records. And that really changed everything for healthcare. They went from being five years behind to being at parity with most industries. In fact, in some ways, adopting AI may be faster than a lot of industries. Yeah. Which is good and bad, a little scary, a little risky. When you look at the change that happened over the decade, you also went from business processes and functions that were largely distributed, some requiring third parties and some not requiring third parties, some requiring on premise applications, and everything's largely moved to the cloud. And I mean, there's still on premise applications that exist out there depending on the scenario and the health system. But for the most part, you think about the complexity a health system has to manage. It far exceeds any other industry. You've got SaaS applications, you have on premise applications, you have IoT devices, you have medical devices, which is a completely separate set of technologies. Now you've got AI which exponentially increases the attack vector, the attack surface. So third party support every single business process today in health care, whereas 10 years ago it was a mix. Right. So cyber has to change. Cyber goes from a vertical function to a horizontal function. It touches every single business process and critical function. So what we find is that third party risk is as important, if not more important than enterprise risk in some sense, because every single business process requires a third party.

B (4:59)

Yes. Interesting. So I'd love to talk a little bit more as we look at kind of the gravity of risk right across all of these different functions and kind of scaling security response that organizations must take. Because it's medical devices. You hear a lot about how it's very much a different kind of industry. So I'd be kind of curious on the risk landscape you're seeing and kind of security response.

D (5:26)

Yeah, security response and recovery is much more important than it ever was. So again, for the last decade or so, we spent time on the front end of the protect Detect functions within this CSF or identify, protect, detect and respond and recover were always an afterthought. That's changed over the last, say, five years. Because with Change Healthcare, that event and other events every year, every single quarter, we seem to see something new that comes in to focus. There's a better understanding and appreciation for. It's not a matter of if, it's a matter of when. Exactly. Right. And so if you're going to get attacked at some point, then you really need to think about your investments shifting from the identify, protect, detect functions to the respond recover functions. Because if you do get attacked, then it's all about how quickly can you bring the systems up that you require to run the business. And that's the other change. For the longest time, we've thought about the problem from a flat perspective. The hierarchy is flat. Vendor product risk attributes, security attributes. We now need to think about it ontologically from a business process and a critical function perspective. Because a not all business process should be created equal. Right? Some are important, but some don't shut the business down. There are critical functions in healthcare lab blood imaging that require quick recovery because without those services, without those functions, we cannot operate as an organization, we cannot deliver care as an organization. So it's really important to understand those and have a picture of what those look like and then map those, those vendors and products that are associated with those critical functions. And then think about things that are obviously in the cyber camp, but also that might be in the legal contractual side of the house. Right? Like we want to work with this particular vendor and they're giving us a pretty decent discount, but they're requiring exclusivity. Right, well, that sounds good on paper until they go down and you have, you don't have an alternative set up, right. As part of your continuity and disaster recovery plan. So we learned a lot through the change health event that really is changing the perspective of cybersecurity and risk management overall in healthcare.

C (8:06)

So help me reconcile some of this, right? Like, I mean, I think I agree with you on the like, there's an inevitability that they'll be issues, that there'll be compromise, there's constantly new attacks. But yet, you know, as I, as I hear you, and I think I agree, right, like the health system needs these technologies. How, how do we find a way to be secure? I mean, is this, is this all about assessing and automating? Is it about management? Like, what's the answer?

D (8:40)

Yeah, it, it starts with the inventory, right. So you can't protect what you, what you don't know. You've got to really identify your organizational inventory and assets that, again, are critical to running the business. And then that lens really helps you prioritize where to spend your scarce resources. If you had infinite dollars, this would be easy, but it's never the case. So you only have so many people, you have so many dollars, you have so many, so much time. Right. So the temporal aspect of all this, so where do you focus? And by starting off really understanding your environment and how it maps to your business, you can prioritize and tier those areas accordingly. You may want to spend more time on your critical functions than you do on everything else. But if you don't know, then it becomes a little bit of a guessing game.

B (9:39)

So I guess building on this a little bit, you know, you hear a lot about kind of secure by design. Right. Versus holding on security at the back end. And I know you've spoken a lot about this and kind of what's your perspective on potential risks or consequences when organizations don't happen to embed security into their enterprise risk management frameworks and then just kind of, you know, pray everything works out.

D (10:06)

Yeah, yeah. So I'll give you an example of what we did. So when AI came, came out, generative AI came out and it, you know, you could definitely see how this could be consumed quickly. Yes. Across every aspect of your organization. We began a journey with our product set and our strategy to obviously embrace and adopt it. And we had to do it through.

E (10:27)

The principles of secure by design, secure by default.

D (10:30)

Because, you know, we, we, we service our, our customers. They require high levels of security and transparency. And what we saw other organizations do, whether they be new or otherwise, they were saying, hey, we've got this new shiny thing that's got AI, it's brand new, take a look at it. And so it would come in through the front door of an organization. Right. And most healthcare organizations rush to create AI governance committees, cross, functionally cross clinical administration, operations, et cetera. Which is smart because now you've got a governing, a governing, you know, a metering, if you will, body that's going to look at everything coming in and meter and govern adoption accordingly. Right. Do we understand the use case? Why are we bringing this in? Who's going to own it? What's the risk? Right. Not just cyber risk. What's the data quality risk? Right. We're getting hallucinations and data drift. Right. So all these things are important in the industry and the state of art is moving so quickly, and the models are changing so quickly that you really require a committee. Nothing slows down progress like a committee. I like to say to sort of again, govern the speed at which adoption occurs. Because in healthcare, if a doctor or nurse or otherwise a clinician has the power to make purchasing decisions outside of a process, then you end up with a lot of shadow it. Right. We need this to deliver care. You know, we'll go through the process, but we're going to acquire it as quickly as possible because, you know, we're going to help our patients. So, so there's that always that balance about how quickly do you adopt these new technologies while ensuring that you don't bring in new risks into the organization. So what we did was say, okay, we're not going to do that, but we also have to think about it foundationally. We need to build AI into the foundation. It shouldn't be a bolt on either. Right. So secure by design was the first principle we looked at. How do we build our own secure environment? How do we partner with AWS or some other provider so that we can do what we need to do as an organization and provide the level of confidence that our customers need. Right. That it's secure. The part two of that is by default. What that means is it's available but it's not on. Right. And that's so critical. I don't know if you've seen this, but I certainly have. I turn off all the Microsoft AI capabilities, I do an update and they're turned back on. Why do they do that? Like, it just drives me crazy. Adobe, when they first came out with Acrobat, they pushed their AI capability on you and you had no way to turn it off. And then, so I had to uninstall it. And then Reddit lit up and they eventually capitulated and made it secure by default. Right. So you have to give the options to your customer to adopt at their pace and, and their risk tolerance and profile. And. And so I tell you that story because the second part of that is all of the risks that customers don't even know about. I call it the insidious risk. Right. Of AI.

E (13:51)

Everyone thinks it's coming through the front door. It is, but it's also coming through.

D (13:55)

The back door and it's coming through the bathroom window and it's coming through the attic and it's coming through the floorboards. It's. Any product that is currently in use in your inventory has the ability to update Again, if you don't have a really Strong update path and governance process, which a lot of people don't do because it's very complicated and they're introducing AI. So you may think that all the risk is at the front, but it's really not. It's actually, it's already there. So when you think about the complexity in the attack service, I say it's exponential because now you have one of the greatest capabilities that we've seen. Well, I mean, obviously the Internet was a huge wave. You have PCs, you have the Internet, now you have AI. And AI is exponential in terms of.

E (14:43)

What it's going to do, not only to the industry, but I think the society in general. So. And it's happening so quickly.

D (14:51)

People are just scrambling to get their arms around how do we adopt what we need today and then how do.

E (14:57)

We manage these risks as they come to the front door, but also as.

D (15:00)

They appear in the back?

C (15:03)

Yeah, I like your description of that as, as an insidious risk. I think, I think you're really hitting the nail on the head with that. I want to dig into that AI bit a little more. Right. So in other industries, like in California, we're seeing like a legislative pushback on responsible a use by, say, police departments. What do you see as the risks of AI in the healthcare systems that you're experienced with? Like, what are the things that could go wrong? And then, of course, how do we then help prevent those things from going badly?

D (15:39)

Sure. So one of the things we did in 2021 is anecdotally I was hearing ransomware was putting patient lives at risk. But there was no research that really told the story or qualitatively or quantitatively. So we set out with Poneman Institute to do a research study, and my assumptions were way off. I thought 2% mortality rate increases over 20% mortality rate in 2021. For, for, for, for ransomware. Now this is qualitative. Shortly thereafter, the cisa, the, the Agency for Infrastructure. Right. They came out with a quantitative study that pretty much backed our qualitative study. So now we made that connection with not just data loss, but patient safety, patient lives and patient care. And, and so I tell you that sort of as the backdrop to. That's a ransomware is a pretty binary attack. Right. I mean, the process by which they get there isn't so much, but once it's done, everything's off. And then you've got to figure if you can recover or you pay the ransom and you recover that way. Right. Whereas AI, it's not so black and White. It's not so binary. Right. The risks, I think, are the same. You have data loss, you have a data loss vector, but you also have a patient safety vector as well. Because now if the data is telling you one thing, but hallucinating or there's data drift and you're making decisions based on that data, that could be a problem.

C (17:21)

Right.

D (17:21)

You could be administering the wrong diagnosis, you could be administering the wrong protocol or drugs or whatever. Right. So that's the risk we have to think about as we start to adopt AI. That's a very different. It's still patient safety related, but it's not necessarily a cyber risk. It's a data quality risk, an efficacy risk.

B (17:47)

Piggybacking on this AI discussion, because this is a fascinating realm because there are so many unknowns. And as we know, there's a new AI startup, you know, every day of the week. Right?

D (17:59)

Every minute.

B (17:59)

Every minute.

D (18:00)

Yeah.

B (18:00)

Of every day of the week. And, you know, and someone had brought this up in another conversation, but, you know, we're all excited to take advantage of what AI can deliver. Right. And productivity, innovation, whatever that might be. But particularly in the realm of healthcare, you know, you have to hook up these AI right, To your data. And in health care, patient data perhaps, Right. For whatever you're trying to do. And I think to your earlier point, right, what if these companies are fly by night, you know, they got the funding, they're shiny for the first six to nine 12 months, and then all of a sudden they go, where away? I think of 23 of me. I've got to get my, I got to get my information off of that, you know, but what's your perspective there? I mean, this seems like a very tricky path forward in that regard.

D (18:53)

Yeah, it is. And I think, you know, again, that's why I think the AI committee is a smart, you know, initial approach because it can slow down that adoption. Right. And start to set up a rubric for evaluation of the things that matter. So right out of the gate is, okay, you want to bring something in. What's the use case? Oh, I hadn't thought about that. Now that person's got to go back. Right, the use case. Right. Okay, so what's the profile of the organization? Oh, they're, they're based in, you know, the Ukraine. Oh, we can't use that. Right. We have a, we have a policy. So you've got this, this rubric in this lens by which you start to evaluate the adoption. And some of that is, you know, may not even be at the cybersecurity level, maybe a phase gate approach, right. They've got to look like this. We have a offshore policy that says we can't offshore data. If they're offshoring the data right out of the gate, we can't use them. Right? So let's stop talking to them, let's stop conversation. They're outside of our risk profile. But say they check all the boxes, bring them in now.

E (19:56)

We have to look at them from a cybersecurity, traditional cybersecurity issue.

D (20:01)

We also have to look at the guardrails by which they set up to validate and verify the efficacy of the data. Because if we're getting bad data outcomes and we're applying that to care delivery, that's not going to turn out well for anybody. So it's a multi part process and I think people are getting their arms around it now as we're going through this, I don't know, year two, year three of this journey with AI and I think initially it was like, holy cow, everything's going to change. Let's adopt it as quickly as possible and learn from it. Then I was like, whoa, slow down. But it is making a huge impression, I believe, on every function in every organization across any industry. And it should be because we have an opportunity to advance things with it. We also have the responsibility to do it in a way that doesn't cause harm. Right? So it's gotta be that balance. We do want to adopt it, but we don't want to cause any harm. And in healthcare in particular, the stakes are so high that we have to do the right thing here.

B (21:16)

And I hate to do this everyone, but we're going to pause today's discussion right here and pick back up next.

A (21:22)

Week with a part two.

B (21:24)

Thanks for joining us this week and as always, don't forget to smash that subscription button and we'll see you next week. Till next time, stay safe.

A (21:32)

Thanks for joining us on the two point Cybersecurity podcast brought to you by forcepoint. For more information and show notes from today's episode, please visit forcepoint.com podcast.

B (21:48)

And.

A (21:49)

Don'T forget to subscribe and leave a review on Apple Podcasts or your favorite listening platform.