Welcome to the official 25th edition or episode of Cracking the Code.
0:11
Wow, I mean,, that’s a milestone.
0:14
That is a milestone right there.
0:15
I have to say,, I’m excited to be joining you all today.
0:18
My name is John Deering.
0:20
I head up marketing over here at clear data.
0:22
, and I’m excited to be joined by, Chris Bowen, who’s our, our founder and,, and Ciso and Charles senior who is our chief services officer.
0:32
, and today we’re gonna talk about one of the biggest challenges in cybersecurity, which is,, having the right skills and the right capacity within your organization to address these challenges.
0:46
You know, I was doing a bunch of research and we’ll get into that, but it seems like this is a a hole that we’re always trying to dig ourselves out of.
0:53
Right?
0:53
And we can look at, you know, you go back to things like change health care earlier this year, right?
0:58
Where somebody didn’t turn on M fa whoops, biggest cybersecurity incident in the history is the history of just healthcare history of, of, of the world, right?
1:11
I mean, I have two of those, didn’t we, John?
1:14
Yeah.
1:14
Well, yeah, that, that’s one of them, right.
1:16
But, you know, and, and we talk about, you know, where are the biggest source of, of mis of incidents that lead to breaches are misfigure which are commonly driven by human error, right?
1:28
And, so it, it’s a really interesting challenge that it seems, is persistent and ongoing in, in this industry.
1:35
, so as I mentioned, I was looking at some reports and they’re essentially saying that, you know, the, the capacity for staff, it has stalled, it hasn’t grown year over year.
1:45
This is some of the ISC two recent report.
1:49
But also that these organizations are saying, you know, their biggest challenge, nine out of 10 are saying this is the skills that the team has not the level of staffing that they have two thirds of them say that it’s, it’s more skills than, than staffing.
2:02
So I I’m curious, maybe Charles will, will jump off with you as, you know, kind of running the people who do this for, for our customers.
2:12
Like what do you think is the biggest thing that, that creates that gap or widens that gap within the, you know, the in internal teams that are trying to, you know, solve these for their organizations and for healthcare organizations in particular.
2:27
Yeah, I mean, John, I can share with you, I, I talked to a lot of customers and a lot of C OS and a lot of I was just out with a customer last week and we were talking about this and I think you’ve got two of potentially three dimensions that are on their mind right now.
2:39
There’s one can, can I find the people, you know, while some of the hiring may be a little flat out there, the people are still in demand.
2:47
This is a space that unlike other spaces within this type of work continues to demand those type of resources because the, the threats aren’t, aren’t going away.
2:56
I think that’s kind of the third component.
2:58
We should talk about the second component.
3:01
So, you know, how do I go get those people?
3:02
How do I recruit them?
3:03
How do I make sure that, that they’re coming in?
3:05
The second part is, you know, with my established staff, how do I make sure that they’re current in their skill set?
3:11
You know, there’s a big thing that’s going around now as you can see, like with the federal government, talking about how do I get more cybersecurity people in?
3:16
Don’t need a degree requirement, need a certification requirement, these type of things like that.
3:21
And, and what you find is, you know, with a lot of the certified certifying bodies, I I was looking at the other day, there’s over 700 certification types that you can find in this space.
3:31
How do you just keep current with that, especially as operators are heads down doing their business if you’re in a sock.
3:37
Right.
3:37
You’re in a sock, working really hard, right?
3:39
To avoid these things, to try to try to really get past it.
3:42
When do I get the time for the training, given the workloads that are out there?
3:45
So, I, you know, I, I see that definitely.
3:47
But the other one that, that I think is gonna throw this all up and he, Chris, I, I think you would have an interesting perspective is the fact with A I marching in the way that it’s marched in where it used to be threat actors could come in, right?
4:00
And kind of one on one, try to try to try to come in whether, whether the threat actor was manipulating a person or even, you know, kind of clumsy work in, in, in the way that was going on.
4:11
Now you have a I coming in as a threat actor that changes what your people need to know because they’re competing against a different type of player.
4:19
So, you know, I think that as, as I talk to, to customers, as I talk to peers in the organization, those are really the three things that are top of their mind as they start to think about how do I really stay safe, especially in a place like ours with PH I and, and other data that’s really important.
4:32
I don’t know, Chris.
4:32
What do you think about a I, I mean, it’s a, it’s a game changer for sure.
4:37
It, it’s almost like a reboot.
4:40
in terms of the things that you mentioned, John and Charles, I, I’ll go back to the certification.
4:47
Just keeping it on top of your certifications is a daunting task.
4:52
You, you’ve talked about the workload in a sock, you talk about workload and, and technical debt re remediation, all these other things.
5:02
When do you have time to do that?
5:04
I’ll tell you my method is my, my Ruben method is always to wait till the very end.
5:09
And then try to wonder how did I put myself in this situation again this year.
5:14
But, but seriously, the cybersecurity landscape is a totally different one from two years ago, completely different because we have that, that A I threat also.
5:30
It’s an ally.
5:31
So it just depends on what side of the coin you’re on with that.
5:34
But if we’re not teaching our people how to, how to understand and know what an an artificial intelligence workload or solution looks what it looks like we need to be doing that because if you don’t know what you’re, you’re guarding, you don’t know how to protect it.
5:53
I, you know, you said something that was really interesting there, Chris, because I, I there is two sides to that coin, right?
5:59
You know, I, I think as security professionals, we obsess about the the one side, which is the people coming towards us, right?
6:04
And, and what’s happening with autonomous bots, right?
6:07
And, and coordinate bots and that type of stuff.
6:09
But, but how do we, how do we as defenders?
6:12
Right?
6:12
Use those type of things and the the the thing that’s starting to come up around that is I think the marketplace around certification and knowledge is actually lagging towards what’s going in there because you think about how quickly those tools are changing, right?
6:25
There was just a new version of chat GP T that just dropped that are just really blowing people’s minds and there’s nothing there that are helping the good guys train the good guys in order how to use that effectively against the bad guys where, you know, the bad guys are already running down to, to try to figure out those exploits.
6:43
And, and, and I, I think it’s really puts a lot of pressure on the organization right in the context that you don’t have these outside things you could rely on.
6:53
It could be, you know, to your point, hey, go, go get your recertification or go get your new certification.
6:57
Now.
6:57
It’s like you just got to keep up every day and, and make that a thing to keep up with the trends in A I keep up with the trends in operations, the 700 or so configurations that are available in the cloud and the thousands that change every year.
7:10
Right back to what John was talking about the mis configurations that allow those leakage.
7:14
Then I got to worry about kind of all the security stuff that’s going in there.
7:17
And I think the complexity, you know, has just multiplied and will continue to multiply as, as, as we go along the combinations and permutations that will get you.
7:27
And what’s really interesting in some of this research in the world economic Forums.
7:32
2024 is a global cyber security w outlook.
7:37
They talked about, you know, more tech, more tech, but it exacerbates the problem.
7:44
And like you were saying, Charles right now, you got to keep up with the tech that you’re trying to use, which is another level of skill set you have to do.
7:52
And what’s interesting is we’re seeing that trend now, we just did a research report for the 2024 state of health care cloud security and compliance posture.
8:01
And our respondents said over half of them said that anywhere between 20 40% of their it budget is going to tooling and training, right?
8:13
So, so are are, are, are they thinking about this the right way?
8:16
Are they thinking about solution and solving this threat?
8:20
This, you know, it feels like this is a tsunami, right?
8:22
That just keeps higher and higher?
8:23
But, but are they, is that the right approach, in your opinion?
8:26
I mean, it it exacerbating I I think the question in your, your stat, there is what percent is tool living and what percent is training because typically they’re not, you know, at a, an, an equal value, right?
8:38
When you start to think about what people do, there’s a lot more OJT than there is kind of the, you know, the functional classroom, you know, type of activity that goes on that way, you know, II I wonder sometimes, you know, as you start to think about this, do you have to run, you know, a two speed type of security in, in operations?
8:56
You run two speed operations, right?
8:57
All the, the, the antiquated stuff and all the new stuff you want to run, right?
9:00
So being in a, being in a data center where it’s all kind of old and, and, and probably not as established as being in the cloud.
9:06
And, you know, a lot of I, I was talking to the cio of a a multibillion dollar pet food company somebody I worked with in the past.
9:15
And he’s the one that brought that not up to me, which is, you know, as you start to think about these new frontiers, it’s not just enough tooling in the training, but is the thought process different also that you have to have as you use some of these more advanced or you’re going after more of these advanced opportunities with her, it’s not enough to integrate copilot into outlook and say, hey, I’m, I’m, I’m doing this.
9:33
You really have to know how to use those tools.
9:36
And is that different than the traditional way that you would use security tools?
9:39
Although both would be warranted because I, I do go back to what you said earlier and, and where a lot of these breaches come from or a lot of these issues come from that are out there, right?
9:50
So you, you look at, you, look at what happened to actually the biggest lock up that ever happened that was promoting code right in the crowd strike problem.
9:59
Let’s just call it what it was.
10:02
And exactly Chris and, and it wasn’t a security problem.
10:06
It was, it was a code problem that wasn’t scanned the right way right upfront.
10:09
Due diligence wasn’t done before it got into production.
10:12
And that’s, you know, that’s, that’s in part a security thing, but it’s a, it’s a good hygiene.
10:16
You look at, you look at what happened with M fa that’s a human activity.
10:22
And so, you know, the, the confines of really how you have to run, this really starts to become like a, a three dimension chess game and it’s, it is training it is that, but I also think the way that, that we said it’s kind of flat in how you do it, you, you really need to understand how do you get the right people at the right place at the right time Oh, that’s the great point.
10:41
Charles.
10:43
Sorry, go ahead.
10:46
No, no, that was it.
10:47
There’s the con we’re back from this commercial break, right?
10:54
So,, I was gonna put that to you, Chris, like when you think about that and how, and how you cc, so, you know, you, you’re in the seat, you’re the guy in the seat, so to speak.
11:03
Or, or person.
11:04
No, that’s true.
11:05
I am in the seat.
11:06
You’re right.
11:07
Here’s the thing, you know, Charles said something that was poignant.
11:11
You gotta get the people and let’s just talk about that for a second.
11:17
You don’t just magically get the people.
11:19
You gotta go, you gotta have recruiters that are out there finding people with the, the talent.
11:24
In many cases, you have to train the recruiters to understand what they’re supposed to look for.
11:29
And then of course, once they, we get a couple of candidates of the proverbial wi if you will, then you’ve got to understand.
11:37
Is this what we, is this what the, the hiring manager wants?
11:41
OK, great.
11:41
Now we got to look at the documents and I have an emphasis on the, on the, on the subject matter.
11:48
You gotta look at the documents.
11:49
Hr So you’ve got to make sure your entire ecosystem of people who are trying to bring people into the organization do their jobs, make sure that they’re looking at the documents, make sure that they’re hiring, who they say they’re hiring, make sure that we are vetting these people.
12:06
, you know, in a way that, that is health care ready because we’re not, we don’t have the tolerance or the time to think about.
12:14
Do I trust this person?
12:15
Do I not?
12:16
Is this person who he or she says they are or not?
12:19
, so we’ve got to really just go all the way down the line.
12:24
Right.
12:24
Charles to determine who’s coming into, into your organizations so that we can be protected all the way through that life cycle.
12:33
A 100%.
12:34
Yeah.
12:34
And, and you know what, that makes me wonder about Chris and I don’t know what your take is, but, you know, when you start to think about the complexity, right?
12:41
There’s the complexity.
12:42
You just said like, how do I get people that’s, that’s complex, right?
12:45
And not even that, like you get to the finish line and they’ve got another offer somewhere else, right?
12:49
And so now it changes that little thing, right?
12:51
You, you’ve been there, I’ve been there.
12:52
You get into the complexity of how do I guard the stuff that’s been around before?
12:57
, and probably needs the standard way to do it.
12:59
How do I guard the new stuff?
13:00
Right.
13:00
And get kind of the advanced force put together, you know, how do you look at, how do you look at, you know, the point of when that’s not really your core competency?
13:08
What do you do like you know, if I’m, if I’m, if I’m a health tech and, and I’m putting out a new product and I’m, I’m out there really trying to help shape patient records to be able to do pre-op right at the end of the day.
13:20
And security isn’t really my, my, my big thing.
13:23
Right at the end of the day, it’s not all this is hard but it’s distracting.
13:27
Where, where do C OS like you go at that point?
13:29
Oh, we, we we hire people, we hire firms to come and help us.
13:34
It’s a partnership model.
13:37
There’s a reason that we have lots of vendor diligence happening is because we, we, we see someone who has their core competency, not necessarily on what, what we’re doing, but something we need.
13:47
So we hire that firm to do it.
13:49
And of course, we have to vet that firm and, and all the other things that go along with that and sometimes stakeholders internally will get feisty and say, why isn’t this done so quickly?
14:00
You know?
14:01
Well, sometimes there are layers of vendors who are relying upon one over the other over the other.
14:07
And so it’s not always an easy vetting process, but, but that’s, that’s how we do it.
14:13
Yeah.
14:14
Iii I think it’s an interesting, you know, decision when, when you do that because all those things that we’re talking about are things that are needed.
14:21
There’s, there’s no doubt, right?
14:22
Because even if you, you think about, you know, a lot of, a lot of companies, I talked to talk about risk when it comes to cyber security.
14:30
I know you’ve covered this, you know, in the past, in, in conversations.
14:34
But then the real, the real thing that they’re starting to realize is, you know, one is a risk question but two is what does it really do to my business?
14:40
If it happens, you can say the risk of it happening, right?
14:42
But you can take a company where trust becomes something cybersecurity is about trust.
14:47
I can trust you with the crown jewels of stuff and when the crown jewels get invaded, right?
14:53
Especially in healthcare where it’s not like a social security number or it’s not like a driver record or any of that where I can freeze my credit, right?
15:01
I can change my social security number.
15:02
I can’t change my health care data, what I have and and what what is there is there where it really starts to become much more valuable.
15:10
And so you start to think about what it takes to do all that and the work that’s there.
15:14
I’m talking to a lot of companies where they’re, they’re looking and saying, you know, how do I get help here?
15:18
How I I don’t know that continuously being the expert at 700 plus cybersecurity certifications trying to figure out who’s got what putting it in some tool to, to track some hr tool to track to do that and that they’re, they’re starting to look at other firms saying, listen, that’s your core competency is your core company.
15:35
We expect excellence from you.
15:37
And how do you keep that excellence on our behalf?
15:39
Right.
15:41
Iii I see a lot of that.
15:43
I mean, I, I could tell you some of my, my other considerations, we, we always talked about the fact that it is your core competency.
15:49
You keep it if it’s not someone else’s and they should, they should really go do it and you should be able to enable that type of activity.
15:55
Yeah, I think you’re spot on Charles.
15:57
, one of the things that it takes me back to the health sector, Cyber Council working group and, and we work on this, we toil on this topic all the time.
16:07
And one of the things that they put out and it’s, I think it’s still on their website.
16:12
We’ll put the, the link here, maybe, I don’t know, somewhere.
16:17
We’ll put the link somewhere right across my big forehead.
16:21
And and what they suggested was why don’t we start bringing them up from within, start to train them from within and, and what you, what you end up having and someone who’s loyal to the organization, someone who you trust because you’ve known them as they’ve come up on up into the ranks and, and that’s just one of the one other way that we can bolster some of our cybersecurity skill set.
16:50
Yeah, and that’s an interesting you know, correlation to your, your contribution to the Forbes Text Council about how, you know, how do you advance that?
16:59
Because, because some of the other data that I was seeing is showing that when, you know, cybersecurity leaders are hiring, they’re hiring, they’re having to hire at an advanced level.
17:10
There’s no junior entry level talent out there that you want to bring in, that’s gonna be in charge of securing all your data and preventing, you know, breaches from happening and, and ocr fines and all that kind of stuff, right?
17:21
And you know, you don’t trust that to the kid down the street who might mow your arm.
17:25
And so, you know, conceptually that means you have a limited amount of you know, head count budget line items, right?
17:31
Because you have to pay more for better talent.
17:33
So, you know, there’s that, that trade off of like, well, maybe I can get good talent, but I can go and get a little bit of it versus, you know, I need, you know, like I said earlier, the the demand and the supply side of this, there’s twice the capacity needed than, than is available to support that.
17:49
So, you know, I, as you’re saying earlier, going out and find other other partners.
17:53
And so like, that’s a really critical part for both retention but also growth within the, the organization.
17:59
I’m, I’m curious how something like maybe someone from outside health care coming into health care for that, how that might look in terms of, you know, both the, the onboarding process and getting to closing that skills gap.
18:12
Is there a correlation between other industries and health care?
18:16
Does that create a wider gap that they have to cross?
18:19
What are your thoughts there?
18:22
Charles.
18:22
I think that’s probably a new question since since you’ve worked, I’ve been exclusively health care for 20 years.
18:29
You know, I’d love to hear your perspective.
18:31
I, I’ve been in and out of health care for about the last decade and a half.
18:36
I, you know, II I think that what, what I think about what you said John is, I, I think for all businesses there, there’s part of it, which is when a business gets locked up, right?
18:45
Let’s say it’s a ransomware attack or something like that.
18:48
There’s brand, brand damage that goes on.
18:51
There’s, you know, there’s, there’s fines obviously like, you know, I, I believe it was this year.
18:55
If you’re a public company and you have a breach, you now have to put it out in your, your quarterly announcements, right?
19:00
So before you didn’t have to, right, you could hide it if you wanted to and that was the way you run your business today.
19:05
The transparency is out there.
19:07
I think more than that what you run into with security professionals.
19:10
, when you have those type of things is, you know, security professionals take a lot of pride in what they do.
19:15
Right.
19:15
They, they are, you know, for lack of a better way to say it, they’re the police of, of what we do, right.
19:20
They’re chasing the bad guys and when you have those type of problems, right.
19:25
A lot of them will start to get restless where they’re at.
19:27
And so you see that across, across all industries, I I don’t think that’s, that’s unfamiliar territory.
19:34
I think that in different industries for different reasons, they would tell you why they’re special.
19:40
You know, as an example, I was in the travel industry just recently and we would say, you know, in, in a way that, you know, we have the most valuable data and you would say, why do you have the most value today?
19:48
Because I know where you’ll be tomorrow, right?
19:50
It’s valuable to somebody, right?
19:52
The data is all valuable to somebody.
19:54
I think for us in health care, you know, the the the challenge is, is the type of data we have the type of records, the disruption to patient care is actually more than that.
20:04
You, you look at some of these things and you say there was an auto dealership platform that, that locked up a bunch of auto dealerships and you couldn’t get finance, it’s not life or death.
20:13
But when you’re, you’re going into getting a read as an example, let’s say you’re going in to get some type of cancer read,, from a radiologist or an attending, right from that perspective and all your records are locked up for you.
20:25
That’s life and death.
20:27
It, it absolutely is.
20:28
And whether it’s truly life or death or not, doesn’t really matter at that moment to you, right, when they can’t get to your records or you have delayed treatment and the rest.
20:35
And so when you start to think about health care, health care is a very special place, the security basics, you know, as you come into it, I think are, are relatively similar, right?
20:44
In the way you wanna kind of look at things, right?
20:47
I think the sensitivity, the sense of urgency, the the amount of focus you have to have is amplified in healthcare because of those reasons because when something happens, it’s much more amplified.
20:58
And so when I see security professionals come in, out of other organizations or other groups, they really have to kind of change.
21:05
It’s, it’s almost like I was talking to somebody the other day about this.
21:09
It’s almost kind of like going from college to the professional.
21:11
It’s just much faster, it’s much more hard, the hits are harder.
21:15
Everybody’s at their a game, it’s the top of it.
21:17
And so I think a lot of it is really, you know, about a mindset.
21:20
And so you go back to what we originally started talking about training and development.
21:23
You know, part of this, do I have the right certifications?
21:25
And the rest part of this, can I use whatever tooling that you’re using?
21:27
But part of this, am I ready for game day, every day?
21:31
That’s what healthcare does.
21:33
Yep.
21:34
Good point.
21:35
Yeah, that makes me think you were talking earlier about the,, the importance of, of medical records as they, you know, they follow you throughout your life versus, you know, other things you can change.
21:44
I can change my name if I want to.
21:46
Well, in fairness you can change your medical record.
21:48
It’s just not good for you.
21:50
Yeah, it’s a bad thing.
21:52
But I mean, you know, what, what was it, the C MS notified that there was,, was it Medicaid or Medicare breach?
21:58
I think it was early, I think it was something like close to a million,, million members, right?
22:04
And arguably some of the most vulnerable out there, right?
22:07
Susceptible to scams and things like that.
22:09
So not only, you know, hey, I can’t get my, my cancer treatment today but, you know, now that people know how to use that, you know, something about calling, pretending to the my kid is, is lost.
22:19
, and I need to wire the money and, you know, they’ve got, you know, your aspirations and your biggest fears in their pocket, right?
22:26
And, and you know, that member or that section of our, our population is a lot more susceptible to, to those types of things.
22:32
So yeah, it just gets scary and compounds more and more which I think to your point, Charles emphasizes the need for the sense of urgency around that stuff.
22:40
It’s not like you know, they stole my credit card number.
22:44
I’ll go shut it down and get a new one and I do this every year kind of thing like this is, this is, this is life and death for, for, for some people.
22:53
So so great.
22:56
I, you know, I I really appreciate, appreciate your all time.
22:58
I think we had a really enlightening conversation about the importance of protecting this information and really understanding how to close the the skills gap and the importance of of different options for doing that.
23:08
So, Chris Charles, thank you both for joining us for our 25th episode.
23:14
You know, pun intended here, no silver bullet solution here.
23:18
Other than to make sure you can get access to the, the best best resources and skill sets that you need to protect the the patient data.
23:27
Yeah, I said pun intended, Chris, I do so so great.
23:32
Thank you all both again For everybody tuning in.
23:35
make sure to check back, we have cracking the codes being released Every, every so often.
23:41
So we try to keep a good pace here going.
23:43
But we invite you, you know, reach out if the topics you want to hear us talk about, please, please do that and we look forward to talking with you soon.
23:51
So thanks again, everybody.
23:53
Thanks everybody.
23:53
Thanks all.