At first glance, Jim Brady’s title — Vice President of Information Security and Infrastructure Operations and CISO — may seem like quite a mouth full. It also may seem quite time-consuming wearing that many hats.
But to Brady, Fairview Health Services’ decision to bring infrastructure and security under one umbrella makes perfect sense. In fact, he believes it has already “done a lot of positive things” for the two groups, which typically have worked in silos, despite the many synergies that exist between them. And as healthcare organizations continue down the digital path, he thinks that collaboration will flourish even more.
Recently, healthsystemCIO spoke with Brady, who joined Fairview in April (and took on full-time duties in August) about how his team has managed the myriad challenges of supporting providers and safeguarding data during the pandemic. He also talked about his approach in selling cybersecurity initiatives to the Board, his philosophy when it comes to leading and letting others lead, why words like “interim” don’t matter, and how he has benefited from a diverse career path.
- A critical component in being able to sell cybersecurity (or any) solutions to the board is being able to “speak their language,” and understand their concerns: quality, patient safety and meeting revenue goals.
- As a CIO, CISO or any leader, know that you can’t always be the expert. “You have to let other people lead, and you’ve got to be able to trust them and hold them accountable.”
- The key to success as an interim leader? Treat it like you’re there for the long haul. “I’m not just here to keep the lights on and check the boxes. I’m going to be somebody you can trust.”
- When leaders are able to check their titles and “go shoulder to shoulder to work through problems,” and get to know each other, it can have a big impact on productivity.
- Because of the “strong gravitational pull toward cloud and digital,” organizations will move further away from the data center business, the need will arise for different skillsets.
Q&A with Jim Brady, Part 2 [Click here to view Part 1]
Gamble: I want to talk about the evolving role of the CISO; that’s come a long way, especially when it comes to things like communicating needs to the board. That’s a different skill set than what we’ve seen in the past.
Brady: It’s a matter of speaking their language, and doing it at a high level. The key is understanding what they’re concerned about. They’re concerned about patient safety. They’re concerned about quality. They’re concerned about being able to meet revenue goals. As you consider all these things and look at them from a security perspective, you share how this initiative — or this gap you’re looking to close — would ultimately impact those areas. If you can tie it in and tell the story, the support is there.
There’s always some funding for a rainy day in most organizations, as long as it’s not too large of a request. I wouldn’t be asking for $3 billion dollars for something, but if it’s something that makes sense, they’re able to say, ‘Yeah, I definitely don’t want that happening,’ or ‘we need to protect against that.’ They’re smart people. They’ve been around for a while, and so they know what’s needed to keep the organization afloat, and keep it moving forward. They’ll be able to understand that.
Gamble: It makes a lot of sense. Maybe this approach is a reflection of your diverse background. How has that helped shape you as a leader?
Brady: I’ll start from the beginning. During the first half of my career, I was working on the business side at a non-profit, faith-based school in Southern California. I did accounting, and a lot of the back-office related tasks. And as PCs became more popular and more pervasive I began to use them, and then I started writing programs so that I wouldn’t have to do things manually. And so I essentially became the IT director as well. That’s how I started; by doing a little bit of everything in a small organization.
The second half of my career, I ended up transitioning to Cedars-Sinai Medical Center, where I was the team lead for running messaging, such as email, on the infrastructure side. And so I spent a number of years managing the data center. We installed Epic as our EHR, so I got involved in that, and was able to build that technology infrastructure background. That led me to an opportunity to be a CTO at Hawaii Health Systems Corporation when the security director left. The way things worked out, I actually held both the CTO and CISO roles, which was a great experience, because I had the technology stack as well as security.
That was my first CISO/CTO role, and I learned it could be done. I mean, it’s definitely a lot of work, but it seemed to make sense. The organization wanted to try it, and I was game. I tend to have a Type-A personality; I don’t mind putting a lot of energy into what I’m doing, but I also believe in having a strong team and hiring good leaders underneath me, so that I can delegate to them and they do what they can do.
The same goes when you’re a CIO, where you rely on other people to do the work. It’s nothing to be ashamed of. I correlate it to medicine. My father was dentist and a professor at a dental school. My mother, who was a nurse, always told me, you can either be a generalist in medicine or you can be a specialist, but you certainly can’t be a specialist in all specialties, because there isn’t enough time in a day. I think IT is like that. It’s so pervasive. You can’t be the expert. You have to let other people lead, and you’ve got to be able to trust them and hold them accountable.
It’s no different in the fact that I’ve got two groups: security and infrastructure. And they work together well. There’s a lot of synergy between them, and I think there’s a progression through a number of different roles moving forward.
That landed me here in my current role, which, interestingly, I wasn’t looking for. I took it because they let me know they were looking for someone in the interim, and I had just transitioned from my previous role as CIO with the Los Angeles County Department of Health Services. I had some time on my hands, so I said I’d do it. I really like the team, the vision, and the organization.
I’m enjoying the role; there’s a lot to do. There’s never a dull moment as a CISO. I wake up every morning and jump out of bed, because I’m having fun, and because I work with great people.
Gamble: So you started in an interim role. Did you approach it differently than a permanent role, or was it pretty much the same?
Brady: I’ve found that in healthcare, there’s a slight bias when you’re in an interim role. When you’re a fulltime employee, there’s a certain ambiance. There’s a message that gets emanated from the employees that doesn’t come if you’re a contractor. You’re in the club, so to speak, when you’re fulltime.
For someone in a position of power, this can make things challenging, and so you have to be sensitive to that. I decided right away that I was going to approach the role like I have all of my other roles, regardless of the job.
Interestingly, my first job was as a teacher in junior high school. I was teaching all subjects the first year, then focusing on chemistry, biology and math the second year.
I took the same approach with that role. As I’m concerned, I’m here for the long haul, whether it’s a fulltime role or not. I’m not just here to keep the lights on and check the boxes. I’m going to be somebody you can trust. I’m going to give it my all. But sometimes people will think you’re a mercenary or you’re just there for a short period of time, and not really looking to drive change or help people advance.
I communicated that to the staff when I first got here. I was asked numerous times, ‘Are you going to stay?’ ‘What’s your situation?’ People are looking for consistency. They’re looking for something they can latch on to and build on. So if you’re moving around or you’re not committed, people will be able to tell, and it becomes really difficult to build a strong team or make any significant changes.
Gamble: Based on what you’ve said, it seems like you’re a big proponent of transparency, which is probably the best way to build trust.
Brady: If you read books on how to build strong teams, you’ll see that trust is the number one criteria people are looking for. Transparency is one way to do that. Another is being genuine. Fairview Health Services is a genuine organization. Our CIO, Sameer Badlani, who is a physician, is very transparent, genuine, caring and collaborative.
During my time with Kaiser Permanente, I saw that the organization puts a lot of emphasis on interdependence and collaboration. It’s actually made up of the Kaiser Foundation Hospitals, Kaiser Health Plan, and the Permanente Medical Group, which are three separate organizations. The success of that organization over the last 75 years is based on the fact that they’re a three-legged stool; without each of the members in that three-legged arrangement, they can’t be successful.
At one point, I remember thinking, are we meeting too much? But it showed me how much you can accomplish if physicians, IT folks, and administrative folks all work together, and you leave your rank and file. You leave your positions on the outside of the room, and go shoulder to shoulder to work through problems, and you spend time getting to know each other. And I think that was probably the tipping point when I saw that; it demonstrated that there’s such an impact on productivity if you can do that.
But it’s not a perfect organization. There are silos within silos because they’re very large, but every organization has to deal with silos, and the challenges with people in different departments working well together. But I always try to take those lessons with me, and as much as possible, take some of those good habits and try to implement them.
Gamble: Right. So in your role, how do you benefit from having that CIO experience? I’m sure that’s helpful.
Brady: I think it benefits me in two ways. One is I’ve sat in the seat and I understand the responsibilities. I understand what executives are looking for, and what’s needed to create a successful, high-performing world class IT organization. It’s very dependent on people skills and emotional intelligence.
What often happens is that folks in one part of the IT organization don’t really understand the needs and concerns of those in other areas. When you own the full stack of information technology and information systems, and its success or failure, where you’re having to work with the two groups that I have right now — security and infrastructure — it helps build empathy. You understand why somebody on one team is butting heads with someone from another team. If you understand what their needs are, it’s easy to understand why they might react a certain way.
Another thing is that we don’t spend enough time talking with each other. We don’t level set. We ignore each other. We butt heads when we have to, but for the most part, we stay in two separate worlds. As leaders, we need to bring people together.
I think the CISO role is continuing to gain a higher level of visibility. We’re seeing how important it is. And yet, CISOs still don’t report high enough, but I think it’s headed in the right direction. The same goes for CIOs; in many cases they don’t report to the CEO, which would be ideal. Instead they report to other members of the C-suite. I don’t think either role is where it should be; fortunately, both are being looked at as more of a business executive role. So it’s important to come in as a business partner and as a peer, and you’re not waiting for somebody to click their fingers and say, ‘I’d like to order this,’ or ‘I need this functionality.’
Gamble: I wonder if we’ll start to see infrastructure leadership role become elevated as well.
Brady: It could happen. There are roles you can combine to save a little bit of money, but you have to have the right person. On the infrastructure side, because of the strong gravitational pull toward cloud and towards digital, I think we’re moving further and further away from the data center business — and network and storage, for that matter. Those will become commodities because the large cloud vendors, such as AWS, Google GCP, Microsoft Azure, and others are going to take care of all that for us. And so we won’t need as much of each skill set to manage and maintain it within our own organizations. That’s going to be pulled out of the organization. It’s already happened with electronic health records because we’re relying more and more on vendors to host our EHRs.
With Cerner, for example, I believe 85 percent of their customers are remote hosted, so they don’t have a lot of service in their data center. And so, as we move to cloud, you can literally shave your infrastructure in half or maybe cut off 40 percent, because you can take advantage of the ability of the cloud to scale up if you need a disaster recovery set of servers or infrastructure. Right now, we have to have that exact mirror image or duplicate of all of our IT infrastructure for our EHR. Just in case the main EHR goes down, we have to go to the second one.
I think the transition to cloud and digital will probably transform the traditional infrastructure IT person. We all need to look into the future and ask, ‘Where will my role be in five to 10 years?’ There will be some roles that — because of automation, cloud, and the fact that large providers can scale and provide services and infrastructure at a smaller cost — we won’t need to have in our organizations. A lot of industries are going to be changed significantly with digital transformation.
Gamble: I couldn’t agree more. Well, I want to thank you so much for taking the time to speak with us, and sharing your perspective.
Brady: Thank you.