“Everything I needed to know about information security, I learned in aviation.”
Not exactly what one might expect to hear from the CISO of a large organization, but for Ron Mehring, the time he spent in the Marines has played a huge role in shaping him as a leader. And although he learned from all of the different roles he held, it was his time in aviation that truly laid the foundation for IT security. “You had to do it right all the time; there are no shortcuts, otherwise someone could get hurt or killed,” he said during a recent interview.
And although the healthcare landscape is extremely different from serving in the military, he has been able to apply many of the lessons learned, particularly as his team at Texas Health Resources has strategized to safeguard data – and patients – during the Covid-19 pandemic. Mehring also talks about how they’re leveraging analytics to improve decision-making, the challenges leaders face in transitioning to an adaptive risk program, and the evolution cybersecurity has experienced in recent years.
LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE.
- The goal of an adaptive risk program is to “more cleanly orchestrate processes, and to make things much more tightly integrated from a security stack perspective in how we manage end-to-end risk across all these disparate environments.”
- As identity and endpoint asset management become an increasingly critical part of the security strategy, having solid analytics is paramount. “You can’t do it without good data.”
- The right vendor doesn’t tell you what they’ll be doing in the next few years; they tell you what they’re doing now to get there.
- For CISOs, it’s no longer just about blocking and tackling; it’s about speed, agility, and the ability to adapt the enterprise to new emerging threats.
- One of the most important life lessons for Mehring came during his time in aviation, where he worked in quality assurance. “There were no shortcuts.”
Q&A with Ron Mehring, Part 2 [Click here to view Part 1]
Looking at security through the lens of adaptive risk
Mehring: We put together an adaptive risk program with the intent to transform all levels from the program, from the risk and governance level down through the technology stack. And it’s to account for all of that change. Zero Trust, something we hear a lot about, is very technical. It’s a very specific set of technical actions that are taken.
Zero trust is actually part of that adaptive risk program. What we’re doing with the adaptive risk program is looking at it through the lens of everything. In other words, you can’t change our technology to do something different without addressing how you’re going to view that through the lens of risk. Because the lens of risk should be governing what you change. You shouldn’t be creating cost in the enterprise just because you think we need to uplift our security technology stack; we should be doing that through the lens of risk. Our processes will change all of that.
The end goal of the adaptive risk program is to automate and more cleanly orchestrate processes, and to make things much more tightly integrated from a security stack perspective in how we manage end-to-end risk across all these disparate environments, all the way from consumer side. The program governs everything from the consumer side all the way through the workforce. We have consumer security and adaptive risk modeling and all the way down to how we do traditional workforce and vendor risk, and how we deal with joint ventures and partnerships. All this is going to fold into an adaptive risk program where we drive common risk objectives across all of these environments to make sure we’re making good choices around what policies are appropriate, what processes are necessary and what technology needs to be there to support those objectives.
Driving analytics into decision making
Gamble: When you talk about planning 3-5 years out, I imagine analytics plays a big role in that.
Mehring: Absolutely. We’ve gotten better over the past three years at how we tell stories and how we drive analytics into our decision-making. We’ve gotten a lot better at that. Not only does that fold into our risk management practice, it also folds into our operations, and so we have a lot of this data underpinning. And what it’s doing is to say, here’s the way things are operating today, and this is the effectiveness of those objectives and underlying operations.
We have that. We have effectiveness measures. We have all those things throughout the entire control architecture, and it tells us how well things are working. So yes, we have a lot of data informing the current as-is state, and more importantly, the things we need to do down the road.
And as part of that, there’s an analytics line item that sits in all of our security projects. In other words, if we roll out something new, as part of our iterative rollouts, there is a measurement or an effectiveness line that folds into our continuous monitoring program so that we can keep track of those new things we deploy. But also informs us when they become ineffective and we need to do something different.
Identity and endpoint assets “becoming much more critical”
What we’re seeing today is that there are a lot of challenges forming around the current architectures as they are today. You’ve probably heard there are no more firewalls in the enterprise; it’s all the end user now. Well, that’s somewhat true. We still have firewalls and we still have boundary protection and layers and the levels in the environment, but there’s some truth to it in that identity and the endpoint asset are going to become much more critical in protection, because that’s where most of our trust is going to sit at in the future in how we make decisions. You can’t do that without good data. You can’t do that without enriching asset data to say what type of device it is and who is it, and then make a supplementary decision based on some policy of how you want to treat the combination of that end-user, that asset, and where they’re located. All of these things come into how we handle trust, right?
You need a lot of data to do that. We’ve done a lot to inform ourselves on what things aren’t working well and what needs to improve, and that’s built into our next plan.
Culture’s critical role in transitioning to adaptive risk
Gamble: That’s a big change from how things were done, and I would imagine you really need to have buy-in from senior leadership to make it happen.
Mehring: Yes. And our leadership team has always been very supportive through the years with the changes we’ve had to make. The nice thing is a lot of the things that are setting us up for where we’re at now in this next stage are things we’ve actually worked on foundationally over the past two to three years. We understood where we needed to go, because we look at the industry and what everybody’s working on, and the difference between two to three years ago and where it is now is that we have a plan and a foundation to work from.
A few major problems exist when you’re trying to transform into an adaptive risk program. The first is culture. It’s going to change the way people operate inside and outside of IT. The things they were doing yesterday and the technology they were using might shift, because now all of a sudden something’s automated. Now they’re doing something a little bit different and they’re seeing something orchestrated to them, whereas before they had to go right to all these different devices to check on them and make sure they’re okay. Now everything’s being orchestrated and summarized for them in a way that they can better understand and act faster.
Determining vendor fit: Tell me what you’re doing to get there
Next is vendor fit. Plain and simple, there are a lot of vendors — and this has been the case for many years — that promise a lot of things and don’t deliver. In the adaptive risk program, we’re not only looking at cultural fit, but we’re also looking at vendor fit. In other words, are you going to be a really good fit for what we’re trying to do here? Don’t tell me what you think you’re going to do in two years; I want to know what you’re doing now to get there.
What we’re finding is a lot of vendors aren’t necessarily on the same sheet of music as us. And so we might have to wait for them — if they’re a good enough vendor, we’ll do that. Or we have to shift away from that vendor all together which is disruptive to the enterprise any time you change technology like that, because it’s probably hooked to some process.
It’s all about the future state. It’s about working really fast; it’s not about continuing adding staffing to solve problems. It’s about how do we go faster? How do we reduce friction for us and increase friction for the adversary? How do we get there?
Security challenges with a “20-year-old car”
It’s very disruptive when you’re trying to change to these new models. In the zero trust model, there are some companies that have done that. Google more or less invented it, and I’m sure there were other companies that did it as well. Healthcare is just different. We have lots and lots of legacy equipment; it’s like an old car that you had for 20 years. You add some new stuff on it and you have some old stuff on it and now you have to try to make it all work together. And that makes it very complicated for security.
How do you design an adaptive risk program when you’re dealing with multiple eras of equipment from the technology standpoint? Every 5 years something is shifting, and our equipment goes much further back than that. You’re trying to account for all these things and the different types of workforce members and physicians, and the different interactions you have in the system. You’re trying to say let me build a trust model around that — it’s very complicated in healthcare.
All about speed, agility & ability to adapt
My CISO peers do a lot of collaboration. We’re all trying to solve these problems, because a lot of us are focusing on the same things. How do I bring all this together? How do I do asset management better? These blocking and tackling things that don’t traditionally fall under security, so that the entire team can do better. We see a lot of those type of those things changing, because it’s all going to be all about speed, agility, and the ability to quickly adapt the enterprise to new emerging threats, especially the ones that move fast.
We’re laser-focused on shifting the program. And there’s a lot going on, everything from how we measure effectiveness to how we do governance, policy management, and everything at the administrative level. There will be some people that shift to this new technology model but don’t shift the administrative, governance, and risk side of this; they’re going to quickly find that they don’t meet in the middle. They’ll be very disconnected.
CISOs making the “business case”
Gamble: Let’s talk more about vendor fit. I imagine there could be cases where at first it does seem like the right fit, but then that changes. And so you have to be ready and willing to address that, right?
Mehring: That’s right. It really does make you look at your entire picture when you’re designing end to end. Before, you could say, I’m going to do firewall design. I’m going to do phishing protection here, and I’m going to do data loss prevention over there — you didn’t really need to have this coalesced, integrated and orchestrated plan.
When you’re moving to these adaptive risk and zero trust models, you have to do that. And not all vendors are going to work real well together, because they may not be incentivized to do that. And so you have to make good choices, and don’t get that sum cost bias when you say you know what, part of this architecture is working really well. This one here isn’t, but we’ve already invested a bunch of capital, so we should just keep it. Well, at some point you’re probably going to need to make the business case, especially if it’s not a good future fit. You’ll need to make a good business case on why it’s important to transition now, and you need good data points and you need a good rationale for that to say why we need to shift and make a new investment. The CISO needs to do that, and show in a more holistic way where the benefits are going to come from.
And it’s not about sourcing one vendor to do it all for you, because there’s none that can do that. It’s finding vendors that can work really well together, and help you achieve some of these very sophisticated goals around speed, automation, and agility. And at the same time, it’s layering in much more predictive costs around security so where the next threat that comes up doesn’t make you look like a big bubble of cost. Instead, it’s consuming a much more holistic set of threats without creating cost bubbles. I want to level all that out where these become much better predictive cost models and over the long run, but again, it’s going to take time to straighten that out.
Lessons learned from the VA & the US Marines
Gamble: I’d like to talk a bit about your background. You spent some time with the VA — I imagine that was an interesting experience that maybe helped you prepare for this role.
Mehring: The VA is very about much about the mission. It’s like working in a healthcare system, but in this case, you’re there for veterans. You can feel that every day; he mission is awesome.
Underneath the hood of all that, it is really big. We had around 7,000 people in IT, and the budget is something like $4 billion. It’s just enormous. What I learned is the importance of staying connected to the mission, even though you’re dealing with a massive bureaucracy. You have the same projects unintentionally competing with each other. And so I learned how to deal with things like that in the VA, which was very helpful. But what I enjoyed most was the mission. You’re doing things to help veterans, which is pretty incredible.
I worked in oversight and compliance, and when I first got there, I had a chance to go to a lot of different health systems. It was pretty incredible to see the work they did for veterans. To be able to communicate from a security perspective across something that expansive is incredibly challenge, and to invoke change is hard. But I do love the mission. They do great work in that regard.
Gamble: And you’re a veteran, right? I saw that you served with the Marines.
Mehring: Yes. I was fortunate to have a lot of different roles there. I started off in infantry, where I worked as a radio operator. I worked in aviation as a maintainer for many years, and then moved into data systems, and, eventually information security. I had an expansive career with the Marines. I also had a stint as a career planner as well where I tried to get Marines to re-enlist; it wasn’t too bad.
So yes, I had a lot of different roles. But what I tell everybody about my time in the Marine Corps, setting aside all those leadership things you learn and serving with a common mission, is that it’s a brotherhood. You’re connected together with your counterparts and you have this camaraderie, which is awesome. As a side note, my wife was a Marine as well.
Gamble: That’s very cool.
Mehring: It is. But I worked in aviation, and I always say, ‘everything I needed to know about information security, I actually learned in aviation,’ because the mission in aviation is to keep planes up and flying. I had a lot of different roles, from fixing planes to quality assurance. It’s interesting; you have 18-year-olds working on aircraft that people are piling into to go up and fly. Think about that for a second —18-year-olds who had about three to four months of training on how to fix an airplane.
But they’re actually some of the safest in the world. Because of the structure around it, the leadership around it, the expectations of the people you work with, and the accountability, you can how a culture formed within aviation of ‘I’ve got to do this right all the time. There are no shortcuts, or somebody could get hurt or killed. I learned everything from quality structure to how to make things happen safely, and it was an amazing experience.