With security threats always evolving, governance issues and resource challenges, being a CISO requires focus and courage, according to Sanjeev Sah, CISO for Centura Health, a prominent healthcare provider in Colorado. In this interview, Anthony Guerra, editor-in-chief and founder of healthsystemCIO Media Inc., talks with Sah about the ways CISOs can advance their organization’s core cybersecurity objectives; how to garner treasured buy-in and support from the c-suite; how to partner with stakeholders; and how a CISO can move forward both strategically and tactically to bring success to a career and an organization. Sah shares insights from a broad spectrum of experiences as a CISO and relays how a very personal experience in an ER with his young daughter helped heighten his appreciation for, and devotion to, healthcare cybersecurity.
LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE.
We have to be balanced in our approach. Sometimes the work we want to do, which might be the number one priority for cyber, may not be feasible from an implementation perspective.
I think the best way to approach this skills gap is to find partnerships that work well that can bring the types of skill sets and resources quickly to assist.
Guerra: Sanjeev, thanks for joining me.
Sah: Anthony, thank you so much for having me. I’m thrilled to be in a conversation with you today.
Guerra: Very good. Looking forward to it. You want to tell me a little bit about your organization and your role?
Sah: Yes. I serve as vice president and chief information security officer for Centura. Centura Health is a prominent healthcare provider in Colorado, with 17 hospitals and 14 affiliated hospital locations, health neighborhoods, health at home, urgent care centers, emergency rooms, and 100-plus physician practices. Our 21,000 care providers care for the communities we serve in.
Guerra: Seventeen hospitals is definitely a sizeable organization. I see you’ve been there about eight months. I’m interested in learning more about your career journey. I like to see how people wind up where they do. Sometimes CISOs have different types of backgrounds. How did you end up getting into security and then into healthcare security? Also, talk a little bit about selecting this role.
Sah: Let me walk you quickly through a bit of my background. I started in the automotive field when I first started my professional career. I worked as a junior IT professional for a global supplier that was located in 65 countries. Over a 10-year period, I worked in corporate offices; worked and contributed at a plant location; then came back to the corporate office location as the head of security for that organization. As I played that role, I learned a lot. Many people contributed to the career and success that I’ve had in that journey. It really helped shape my path into the future. With advice from my former CIO, I went on a journey to learn a bit more about different sectors. It took me to a healthcare organization—Home, Health and Hospice—in Baton Rouge, Louisiana. That was my first time as a first-time CISO for that organization. I will tell you, I learned so much working with people, to make a difference for the organization from a compliance and security perspective. Then, an opportunity presented itself at the University of North Carolina at Charlotte, to serve again as a first-time CISO. That became a trend. I served as first-time CISO for the next couple of organizations in healthcare, and ultimately at Texas Children’s Hospital in Houston, as well. Again, a fantastic organization. A tremendous learning ground. I was able to contribute in many ways to patients’ well-being; working to enhance clinicians’ experiences, as well as their efficiency, and really leveraging cyber to drive technology innovation to enhance patient experience and patient outcomes. When I was at Texas Children’s, I was presented with an opportunity to serve as a CIO at a dental and vision insurance organization in Baton Rouge, Louisiana, and from there I went to Medical University of South Carolina, to serve again in the same role, as a chief information security officer. Being at an academic medical center had its own unique opportunities and challenges. But one thing that was common across all my journey, either through automotive and through healthcare, was that the difference that could be made was done with people and partnership, leveraging technology not simply as a technology component, but using that as innovation to deliver patient experience, patient outcomes and enhance clinicians’ ability to care for the patients that we served. Now, this brings me to Centura Health. What a fantastic opportunity to do the same thing for a system that cares for a large population and a network of people in this part of the country.
Guerra: Why do you think healthcare held you? You could have easily bounced back to automotive, or to anything else. Would you say that something about the healthcare industry attracts you, perhaps, more than others?
Sah: Being able to serve in the mission you have in a given organization is really why we come together as professionals. And that mission is just heightened when you are able to use your talent and work with others in the organization. Particularly at Centura Health, we are mission-oriented in doing what’s best for our people who we serve, and for each other in the organization. It’s hard to find a mission that touches your mind, your heart, and gives the kind of satisfaction you get by providing care for people, and by making lives better, ultimately. I’ll share an example with you. Along the journey in healthcare several years ago, I found my own child in an emergency room, and recognized the fact that many clinicians came to her aid along with multiple sets of technologies—whether biomedical devices or a wirelessly connected asset within the ER, or the monitoring center where her vitals were being monitored. This gave me a real personal example of how our work—not my work—our work—comes together to really provide for her care. And I was praying, and hopeful, that all of it worked really well for my daughter. She’s perfectly fine today—a beautiful six-year-old. But when that happened to her at one year of age, it really grounded me as a healthcare professional. And today, I’m much more centered around our mission and our purpose and bringing not just cyber but technology and our skills through partnerships with all stakeholders to do what is best for our patients every single time. Ultimately, it could be your child; it could be your family member.
Guerra: Right. And you could imagine that with all you were dealing with in that situation and all of the stress, and all the clinicians were doing to try and care for your child—you can just imagine them trying to do that while transitioning to paper, because there’s some ransomware attack. And you say, “I don’t ever want to have that happen while I’m working, if possible.” I mean, none of the CISOs who this happens to are bad people, right? They’re all doing their best work. But you want to maybe try and prevent it because you’ve been in that situation, and we know how devastating that can be.
Sah: Absolutely. You know, as we are mission and patient-focused. Really our security focus must be on protecting our people, data and technology—and ultimately, sustaining, enabling and transforming our organization’s capabilities. A ransomware or event can be very negative for an organization that is impacted by it. Ultimately, we are all working hard to provide assurance for disaster recovery and business continuity with cyber-safeguards and controls and making sure that we have appropriate disaster recovery plans and making sure that we have tested them, and so on. So, you make a really important point, Anthony. Safeguarding our organizations today in this kind of industry, where a threat is ever-evolving, really becomes our number one priority.
Guerra: So, when you are interviewed somewhere, what do you want to know as a CISO about what’s going on at that place to help you evaluate it? Do you say to yourself, “I want to know what they have in place, because I want to know what I’m getting into. I don’t want to start on day one and think we’re going to get breached any minute.” I’m just wondering from a CISO point of view, is that something that security people want to do maybe even more than CIOs because jumping into a non-optimal situation is even more dangerous for a CISO.
Sah: I might take your question and internalize it and share how I approach the role and how I collaborate with others. For me, a mission in healthcare is the number one opportunity as a CISO. Any opportunity that allows us to develop a program, implement it and manage it; to safeguard operations sustaining our organization’s capabilities, and to provide care and enhance outcomes—to me, the combination of all of that, really drives the type of opportunities that I like to go after. At Centura Health, I’m presented with a fantastic opportunity to do exactly that. I don’t believe our roles with other organizations are in conflict at all. We all work together to really provide for our care and then do what’s best for the organization. For example, I’m in extremely close partnership with my CIO and a governing enterprise information security executive committee, as well as working with the Board of Trustees Audit and Compliance Committees. In doing that, we’re able to develop a strategy that’s right for our organization, and we’re able to develop tactical plans with the necessary buy-in and support that is really important for us to go ahead and advance the security posture and safeguard the operations of our organization. For me, I won’t see any more fantastic opportunity than being able to do that for my work—your work, our work—and together enhance care for our patients and for our families.
Guerra: Absolutely. I’m not saying you’re facing this situation, but I’m guessing that two areas that could be difficult for CISOs would be one: if they can’t get the funding that they need to do the things they feel they need to do. And number two would be: if they’re not getting the support from executive leadership, meaning whenever there’s push-back from security measures from users, that the leadership takes the side of those pushing back and therefore the security professional feels they cannot get the things done that they feel they need to get done. And I’m not saying you are dealing with those situations, you may have a beautiful situation, and it sounds like you do. But I’m guessing there are some folks out there that are dealing with either of those. Do you think those are the potential main points of frustration for CISOs, and how would you deal with them for someone who’s facing them?
Sah: Yes, I think the question is a very important one. But there’s a way to approach the role, and there’s a way to approach governance for security that can lend itself to success versus the types of challenges that one can face. There are real challenges for many organizations where resources have to be prioritized in a way that is best suited for the organization. What I’ll share with you is the approach that I take in successfully leading such programs and hopefully that information is valuable to your audience. So first and foremost, I believe the CISO has to approach the role with courage. And courage means that what is the right thing to do for the organization is the right thing to do for the organization. In doing so, we ought to be extremely professional, balanced, but methodical about approaching what we need to be able to do for our organization to safeguard operations and do what’s best for our patients and families. I have taken that approach multiple times, whether at Texas Children’s Hospital, or at Medical University of South Carolina, and today at Centura Health. In the last six to eight months, I’ve been building a coalition and garnering support for our cyber strategy and developing tactical plans that are coordinated well with our IT effort, as well as working on our organizational strategy goals. And, I’m pleased to report that stakeholders at Centura Health have been extremely supportive in that journey, and I’m really appreciative of their partnership in making sure that the right type of balance is provided both strategically and tactically to successfully implement and manage that. So that’s the advice that I would provide. Partner closely with your CIO. Partner closely with all important stakeholders—and that’s legal, that’s compliance and that’s the executive team, as well as your IT stakeholders, to really gain their insight and their support for the plan that we built. That’s been the path for success for the opportunities that I’ve had to implement our core values at our organizations.
Guerra: So, if someone is experiencing frustration in their efforts to move things forward, it sounds like you’re saying, “Take a look at yourself first and make sure you’re operating in the right way to get buy-in ahead of the game,” because if you’re running into a lot of challenges and a lot of friction, it might be you; it might be the way you are approaching things. Is that correct?
Sah: I think it’s a combination of things, right? As we approach the topic and we’re looking for support, we definitely have to be business centric. We have to be balanced in our approach. Sometimes the work we want to do, which might be the number one priority for cyber, may not be feasible from an implementation perspective.And so, we should be balanced in our approach. That’s definitely a piece of advice that I would offer. The second to that is really making sure that the stakeholders are brought on the journey with the CISO, to not just have the strategy and tactical plans, but have the appropriate buy-in and support to really be successful at that. We will have challenges. New priorities will come up. But we have to address them professionally and head-on during potential implementation as we learn that we can’t do exactly what we planned for. But, if we modify, we can still achieve 85 percent of the goals that we had intended. You know, that might be good enough, because it’s a balanced approach. I would advise that we really take a balanced approach, where people are brought onto the journey, and execute on cyber plans in a way that is sustainable and feasible for the organization.
Guerra: Do you think that a large part of the CISO role is not green-lighting or stopping things but explaining the trade-offs and the risks to those who are going to make decisions, whether it’s the CIO, the CEO or the board. So, as the CISO, you’re not saying, “No, we’re not doing this.” You’re saying, “Hey, here’s the risk. Here’s the risk level now. Here’s the risk level if we do this. Here’s the risk level if we spend this money.” It goes down or it goes up, or whatever. Is that how you would describe a large part of the role?
Sah: I think our role is multi-pronged. In the scenario that you just described; we serve as an advisor from a risk perspective to stakeholders in one way. We are also strategists. We develop strategic plans that help to achieve those goals both from a business perspective and then from a cyber-perspective. We are also tacticians who then help guide how we go about implementing safeguards and controls that improve the security posture. And lastly, we are collaborators in terms of ensuring that people who need to be part of the journey, understand intended security goals and approaches, so that they are part of the team and will execute on the plan. So, I view a CISO role in all of those ways. Depending on circumstances, forums or needs, one flexes one way or the other to help achieve the ultimate goal, which is, again, to really enhance security postures so that operations can be safeguarded, our patients can be served with the best possible capabilities, enabled by technology, and then better outcomes are achieved.
Guerra: Do you want to talk about the things you are focused on right now? Big picture stuff—where your priorities are right now?
Sah: We are really prioritizing across multiple initiatives. We are working to ensure that governance, risk and compliance aspects are appropriately addressed for our organization. We are enhancing our capabilities on identity access and providing for trust equation of that. We are enhancing capabilities with infrastructure and cloud security. As you know, threats are always evolving, so we need to continue to evolve our safeguards and controls against threatened vulnerability with appropriate security operations center perspective. This is more of a co-managed approach to bring capabilities quickly to our organization, so that’s the other priority we have. And then, I think we should always have the priority of making sure we have the talent that has the right set of skills and knowledge and that we are providing appropriate education and training to our people and to our partners. Those are really our top priorities, and then there are multiple actions that we take within them to enhance security posture and maturity.
Guerra: You mentioned personnel. Do you feel there’s a lack of people for the positions and the talents that you need to run a security shop of your size?
Sah: I think the reality of the global cyber-posture is that cyber-professionals are high in demand. Especially in local markets, there aren’t necessarily enough professionals available. I think the best way to approach this skills gap is to find partnerships that work well that can bring the types of skill sets and resources quickly to assist. So, we approach that strategically with partnerships that give us the best possible way to close the skills gap or the talent gap.
Guerra: Are you talking about using consultants for a short-term type of thing coming in?
Sah: I’m talking about strategic partnerships, like even for security monitoring. We have in-house resources to take the actions that we need to take, but then we also rely on third parties to really look at all of the threats that our organization would face from a cyber-perspective. Our team then zeros in and takes the local action that we need to take. That’s an example of the strategic partnerships we use that are both short-term and long-term to give us the quickest opportunity to have the best talent needed to execute on plans that we have for our organization.
Guerra: What’s your best advice to aspiring CISOs, wherever they are in their career journey? What would your advice be to them for what it takes to get to that ultimate role?
Sah: Well, I think as I offer this advice, I’m mindful that I’m a learner from the community of CISOs and other professionals, and so I’ll offer my advice with that baseline. Really, we as CISOs must be business-centric, in that cyber is definitely something that’s extremely important to all of our organizations, particularly in healthcare. People have a much better understanding of cyber-threats in the marketplace today and so using that as a leverage to really build the kind of stakeholder buy-in and support that is needed to advance cybersecurity, I will say that ought to be the number one component of the CISO role, in addition to having a strategic view. But also, we need to make sure we have tactical strength to go with that, because all plans are good, but sometimes they can run into implementation challenges. For example, network segmentation is an approach that many organizations take to protect themselves. But it’s extremely hard to implement, and it requires a close partnership between infrastructure teams and network teams to be able to do that. And then, it’s good to always keep the mind and eyes open to learn from the community what others are doing to provide for better security posture and improved maturity from cyber-perspective. So that would be the third element. And maybe the fourth element of all this is engaging with the community at large and sharing your knowledge and experience, while at the same time learning from others. As an example, I do that by participating through HIMSS or other avenues that are presented to me, for example, like the conversation we’re having today.
Guerra: I would imagine that one of the most important relationships a CISO has is with the CIO. Do you have any advice on how to have a successful productive relationship with the CIO?
Sah: Yes, absolutely. I imagine you are picturing the CIO as the manager for the CISO in this question. CIOs are really charged with tremendous accountability and responsibility from the operations perspective. I think a CISO really needs to appreciate and understand that and be helpful in achieving the overall objective of why we exist as a technology organization. Security is a very important component of it. I take the approach that I work extremely closely with all of my IT stakeholder leaders, but particularly with my CIO. I’m ready to answer any questions and help advocate for security through a variety of different forums. In fact, we partner with each other to advance that conversation with executive teams or with the board of trustees. To me, I have found my senior vice president and chief information officer, Ms. Carrie Damon, one that is extremely supportive and understanding of what we’re trying to achieve from a cyber perspective and has lent appropriate support to advance the program goals that we have. To be frank with you, I don’t think we would be there in terms of our cyber program or plan, in terms of stakeholder buy-in, without that kind of relationship that we have and the kind of advocacy that we have from my CIO. My advice would be for every CISO: I don’t think the role necessarily provides a place of conflict. If anything, it’s a place where we ought to find the most balanced perspective. I should go on to say that it’s not going to be without professional discussion, or debates at times, but really, we ought to keep in mind that we exist ultimately as an organization to support and safeguard operations.
Guerra: All right Sanjeev, that’s about all the time we have time for today. Is there anything else you’d like to add before I let you go?
Sah: Anthony, thank you so much for the opportunity to share my thoughts. It has been a fantastic opportunity.
Guerra: Thank you so much. Have a wonderful day, Sanjeev.
Sah: Thank you so much.