“CISOs would be blind without threat intelligence,” says TJ Mann, CISO for Children’s Mercy in Kansas City. That’s why Mann uses multiple sources to gather intel on a daily basis, not only to be proactive, but to determine a hacker’s next steps if they do happen to get a breach. Why? Because intel wins wars, Mann says. “You can’t win a war if you don’t know what your adversary is doing. Or you don’t know what’s coming at you.” In this interview, Anthony Guerra, healthsystemCIO editor-in-chief and founder, talks with Mann about his career and what led him to healthcare IT security, and particularly how he keeps Children’s Mercy safe. In the four years he’s been at Children’s Mercy, Mann has built up a team from a handful of FTEs to a dedicated staff of 38. Trust is paramount, he says. The rest of the c suite will only listen if you first build credibility.
LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE.
Everything we’re doing ties back to the organizational goals. And that’s the key in terms of establishing a successful security program.
Your job is to identify risk and assess that risk and share the implications with the business and executives. But they’ll only trust you if you build that trust and credibility.
What I’m not seeing is a lot of effort from people who desire to be in the cybersecurity field to build that baseline – to be in that interview and say, “Even though I haven’t had a job, I’ve done these things to really demonstrate that this is a field that interests me.”
Guerra: TJ, thanks for joining me.
Mann: Thanks for having me.
Guerra: Let’s start off with you telling me a little bit about your organization and your role.
Mann: Sure. I am the chief information security officer for Children’s Mercy Kansas City. We have two hospitals in the area. We have 23 clinical sites, and we just recently opened a children’s research institute, which is focused on identifying and detecting genetic defects and building treatment plans and research around that for kids, specifically. We have a value-based program, as well. We operate in Kansas and some remote locations in Kansas and Missouri. I will be at Children’s Mercy for four years next month. I have the complete responsibility for a strategically aligned cybersecurity program and maintaining the effectiveness of that program.
Guerra: Congratulations on your four-year anniversary, coming up on that. That’s pretty good tenure these days for any c suite. Tell me how you ended up here in a career sense. How did you wind up in IT? How did you wind up in security and in healthcare security? I think people find it interesting how CISOs wind up where they are.
Mann: It’s an interesting journey. My academic background is in IT. My bachelor’s is in IT and my master’s is in computer science. I graduated with my master’s in 2010. Back then, not a lot of universities were offering cybersecurity degrees; there were no programs. The only path to get into security was you’re coming from the network side of the house or you’re coming directly from the IT side of the house, and you had to kind of find and carve your way into security. Nowadays, it’s good to see that a lot of universities are offering security degrees to build their pipeline. To go back, I knew that I wanted to be in security as early as seventh grade. Back then we were first introduced to binary arithmetic—ones and zeros, adding and subtracting and everything. And I thought, “This is pretty cool. This is interesting to me.”
A couple more things of interest about me. I’m an immigrant. I immigrated with my family from India in 2005 into the U.S. I already had my bachelor’s in India before I moved. Growing up, I was also into sports, but my parents were like, “No. You’ve got to make something of your life.” So back when I was in high school, I saw the movie The Terminator 2. There was a scene in that movie, where the kid goes to an ATM machine and does something, and it starts spitting out all the cash. And I found it very fascinating, and I told myself, “I need to learn how to do this. People can do this? This is awesome.” Back then, the internet was 56 kbps modems, and the internet was slow. So, what I did was I downloaded the entire ATM manuals for Diebold and NCR machines; those were the two big ATM manufacturers back then. And I read through all those manuals just trying to figure out how this thing works and how can I make it spit out money. There was a lot of trial and error, but nothing worked. I figured if I need to know how to break in, then I need to learn how this works. I actually grew more interested in the security side of the house. This really grew my interest into how to break into things in order to secure them. This was my entire mantra for my entire academic career, I needed to learn how to break things so that I could secure them. So, I wanted to be on the security side of the house.
I moved here in 2005 and financially we were struggling pretty hard. Didn’t have much. Just had one month’s rent for an apartment when we moved to the U.S. I had a job as a server, and I was going to grad school in the evenings for my master’s program. So I eventually graduated from my master’s program and started really building a career in security. I really grew up from the ranks. My first role was as a privacy and security analyst at LexisNexis, which is a company in Ohio, with Amsterdam as their headquarters. And then moving to bigger and better roles. I spent about four years at LexisNexis and grew to a security generalist. Then I went to Bank of America to help with their cyberanalytics and lead their security log and monitoring teams. From there, I was contacted by PriceWaterhouseCoopers, so I spent about four years with PWC, based out of Chicago, and that role really helped me grow a lot and essentially transitioned from a contributor to a leader.
Within those four years, I got a lot of exposure. I always tell people that consulting is like dog years. What you would end up doing in the industry in seven years, you get that exposure [consulting] in one year because you’re working with so many different clients and so many complex problems and new tools and everything. With that, I gained experience working in the U.S., in Asia and in Europe. And that was key in terms of learning cross-cultural norms, cross-continental communications and working with teams that are remote. Some of the major clients I worked for: Costco, MetLife and some of the Fortune 500 and 100 financial institutions. Really helping CISOs build and mature their security programs, some niche service offerings building cross-functional instant response plans or establishing cyber fusion centers.
So that really kick-started my career into a different level. After about four years, I was contacted by Children’s Mercy for this role. David Chou was there at that time. He was the CIO. They were looking for somebody to come in and build a security program and a security team. There wasn’t much at that time at Children’s Mercy from a security perspective. We had a handful of people who were really focused on day-to-day operations. I joined about four years ago and the first order of business was to build relationships. Go on a listening and learning tour and really meet the different business unit leaders and understand their pain points and figure out where the gaps are currently and where we need to go. And build that five-year strategy and vision and build cybersecurity goals. And build that roadmap.
To do that, we obviously needed a team, so in the first year that was my current assessment. So, meeting with the board of directors and presenting my business cases for the FTEs I wanted to hire and the budget I needed to really build what needed to be built. And so, I was successfully able to grow the team six-fold since I joined. We had three FTEs, three contractors, and now we’re at 38 team strong and that was a big accomplishment. Really, a couple of years ago, the entire team went on a six-month workshop, a very long workshop, to translate the organizational goals into the cybersecurity goals. We could come up with a cybersecurity strategic plan and a vision for the next five years on, “What are we doing?” Everything we’re doing ties back to the organizational goals. And that’s the key in terms of establishing a successful security program. Couldn’t be prouder of the team and where we are.
Guerra: Very good. You were at PWC, and it sounds like you weren’t in healthcare until you came to Mercy. You made the decision to go into healthcare and to leave consulting. Maybe you were sick of traveling. Take me through your decision-making process.
Mann: First of all, I loved my job at PWC. I think it’s a great company, and I would encourage anyone, especially straight out of college, go work for a consulting firm. And I love traveling, so that was not a problem at all. I think what was starting to happen – the honest truth is – I was dating, and every girl I would speak to would be, “Yeah sure, we can meet this weekend,” but I can’t because I’m in a different city every week.” And that wouldn’t go over very well. I was always traveling, and it was hard to find time. The real reason I left PWC was I looked at it as an investment in myself. It was an investment in my personal life from a dating perspective, but also it was an investment in my health. I wanted to give more time to myself, to my mental well-being and to my physical well-being. And I found it was hard for me to balance that with all the traveling. Those were the two big reasons why I left PWC.
When the opportunity came to my mind, I thought, “Yes. It’s healthcare. I don’t have much exposure in there.” So, I reached out to some of my colleagues at PWC who worked with healthcare clients to get an idea of the landscape. When you look at security, the basic framework’s all the same. The controls and the intent of the controls are the same. The ideas and the goals of cybersecurity as an organization is the same too: to reduce the risk to the organization and protect the business. But the threat vectors are different when it comes to the different industry verticals. What might be a threat that may be moving at a higher velocity and at a certain magnitude; that same threat could not be the same velocity and magnitude in a different industry vertical. You look at ransomware, and you look at the most hit industry verticals are state and local governments and healthcare institutions. Two reasons: they both have to keep running 24/7, so there is a self-interest to pay the ransom. And second, they’re both immature and they’re getting up to speed in terms of cybersecurity.
So, in short, why I took this role is because of the challenge. I thought at that time, and I still think, that financial services is obviously one of the more secure industries when it comes to cybersecurity. But healthcare, retail and state and local governments, they’re gaining maturity. And I looked at that as an opportunity. There’s an opportunity for me to go in there and build something from scratch, put together a team, a program and make a difference in improving the security posture for an organization that is so focused on pediatric healthcare, creating a world of well-being for all children. That’s our goal. It’s a non-profit organization and quite honestly, it’s probably one of the most fulfilling jobs I’ve ever had. The reason I say that, is usually when you work in IT and security, you’re mostly behind the scenes. But here, I go out into the community, and I tell people I work for Children’s Mercy and the odds are that they, or their kids or somebody they know, has been to Children’s Mercy. They have memories and stories. It’s fulfilling to see that you’re doing all this work and you’re putting in late hours for the community and for the well-being of the children.
Guerra: So, it sounds like a lot of reasons all lined up and it was the right time to move. A follow-up question on something you mentioned. There’s a lot of similarities across industries when it comes to security. CISOs certainly have some skills that are transferrable. So, if you’re successful in one industry, you can be successful in another industry, but as you mentioned, the threat vectors are different. Threat intelligence is an important part of being a CISO. How important to you is threat intelligence, and how do you leverage that to make sure you’re doing a good job?
Mann: We’d be blind without threat intelligence. I often say that intel wins wars. That’s the same concept if you go into the military or a war zone. You can’t win a war if you don’t know what your adversary is doing, or you don’t know what’s coming at you. You’re basically, essentially running blind. I personally think that threat intelligence is a key capability for any security program. What we’ve done here, is we have multiple different avenues for gathering that threat intelligence. We pay for a service, as well, which delivers curated threat intelligence for our organization and for the healthcare industry in general and for our area. We are aware of and ahead of any geo-political risks or any targeted industry vertical risks or threats that may be coming at us. We also have free feeds as well.
We are members of such institutions as H-ISAC and HIMSS and we get daily threat intelligence from those sources. This is an area that’s still maturing for us. The way that we’re using that intelligence is primarily in our instant response investigations. When the team does an instant response investigation, they need to better understand the threat, the actor and how quickly the threat is moving and, based on this actor’s MO, the next step that is likely going to happen. So that helps us stay ahead and be proactive. What we’re working on right now is integrating that threat intel into other programs, like a vulnerability management program. As we look at the different vulnerabilities, we want to understand how is that vulnerability being exploited and meanwhile, is it a rapid exploitation? So we can better understand and assess the impact to our assets.
I think other use cases would be to integrate the threat intelligence into your SOC environment and into your business continuity environment to understand where there are threats. And also, into your cyberisk management work or program that you may have. It’s a very important part and a key capability for any cybersecurity program.
Guerra: That’s very interesting. I always thought of threat intelligence as helping you create a good defense because you have a good idea what’s going on, but you said something very interesting, which is, as you’re dealing with an incident and a breach actively, threat intelligence may help you understand what that actor may do next. I hadn’t thought of that.
Mann: Yeah. And you look at the MITRE attack framework, and with the various threat intelligence reports that you get you get an MO of the various threat actors, what they usually do when they infiltrate an organization. So that’s a critical resource, if you’ve already identified a threat actor doing an active breach, you can definitely leverage that to understand what likely is going to happen next. The critical thing to understand is what tactic will be aligned with the next phase of the incident, and that can be derived from some of the available information—if things line up, obviously.
Guerra: What do you think is the difference between an average CISO and an outstanding CISO?
Mann: I think the difference is not technical. I truly believe that the leaders that come to this position have the technical ability and acumen to make it happen. I think the difference is on the soft skill side. I think leadership plays a key role in this. A few different facets that would help outside of the technical acumen would be, first of all, your leadership skills and your abilities to coach, mentor, and lead a team and keep them motivated and keep them engaged. I think the other piece is, how well of a communicator you are and how well you can easily translate technical jargon into plain English. I think another key quality is relationship building. How well are you able to build strong relationships across the business stakeholders in your organization. Because, eventually what it comes down to is trust and credibility for a CISO. As a CISO, you’re not a risk owner; you’re a risk flag bearer. Your job is to identify risk and assess that risk and share the implications with the business and executives. But they’ll only trust you if you build that trust and credibility. So those are the soft skills.
And I think, when it comes to leading teams, two key soft skills that I’ve found in the last two years to be of massive importance, and that I’ve started to give more importance to in my personal leadership are empathy and compassion. I think what I’ve seen in the last two years or so, and during the pandemic, is there’s a real need for true and genuine empathy and compassion for your team. So many people on my team have gone through so much in the last two years, and I think if you really want to be a visionary leader, you need people to trust you; people to believe you; and that you care for them and that you have their best interest in your mind. And like any relationship—you can only be successful if your team is successful. Like in any relationship, empathy plays a general role in my opinion–when you really show you care about someone and you do something about it.
Guerra: It’s interesting. You want to actually care. There’s a difference between caring and showing you’re caring. So, we’re not talking about faking it, right? But what do you do if you don’t care? You’re in the wrong job? Do you fake it until you make it? I don’t know.
Mann: If you don’t care you will sooner or later learn that you have no way of being successful. Your success as a leader lies in your team’s success. And only when you’ve created more leaders like yourself, and even better leaders–that’s when you can call yourself a leader. If you don’t care, then sooner or later, you won’t even be a leader.
Guerra: You have to, number one, care. And then show you care. Don’t skip that first step.
Mann: And do something about it. Don’t just talk about it. Write a hand-written Thanksgiving card and thank your employees and show that you care about them. Someone on my staff contracted COVID; making that phone call and showing: is there anything I can stop by and drop at your doorstep? Do you need anything? Those things really matter, and they go a long way.
You know – everybody knows – roles are not permanent. You move on, they’ll move on, they’ll go. But it’s about bonds. It’s about how you treat others; it’s going to come back to you. If you want a high-performing team, you have to take care of them. You have to be generally empathetic and compassionate about them and their needs. And you have to be a good coach, which means that in my philosophy that’s servant leadership. Having them be empowered, but take the lead, and lead them towards the right direction. I truly believe if you can inspire, empower, appreciate, and communicate better with the team, you can really form a high-performing team.
Guerra: That’s really good stuff. High-level question here, so there’s two different ways you can take this question. You can either talk about what you’re working on or talk about one or two of the biggest trends you see out there around security that you think are quite important.
Mann: Let’s talk about some of the trends, and I think first, the first trend I have seen is from a people perspective. And I see a lot of people who want to come into cybersecurity as a field of choice. Some people want to come because it’s their field of experience, or they are interested in it, but they don’t have the skills. I think when we couple that with the global shortage within our field, we are at a very strange time. What I’m getting at is there is indeed a lot of shortage in cybersecurity resources. What I’m not seeing is a lot of effort from people who desire to be in the cybersecurity field to build that baseline – to be in that interview and say, “Even though I haven’t had a job, I’ve done these things to really demonstrate that this is a field that interests me.” I’ve seen that in the last few years as a trend. And I think more could be done from CISO communities to provide the transparency on what’s needed in today’s jobs and roles and what skill sets are we looking for, so we can guide this new talent in a way that’s going to be helpful for the future of CISOs.
Guerra: Do you want to name any of those things right now—in terms of what you’re not seeing but you would love to see on an average applicant when they come in and speak with you? What are those baseline things that you’re looking for that perhaps you’re not seeing?
Mann: I want to see that they have a passion. I want to see that they’re willing to learn new things. I want to see that in their free time they’ve invested their time towards that direction. Even though they don’t have a job, they are going online and have a daily cyber feed, for example and they’re staying up to date on the news from a cybersecurity standpoint. That they have a current understanding of the threat vectors; who’s getting breached. Even if they don’t have healthcare experience, I’m ok with that. What I do want to see is that they know about the healthcare industry; they know about the threat vectors, that they have a basic understanding and more importantly, that they have a passion to build on that and to learning a new industry and to building their skills.
Guerra: This sounds like basic common sense to “prepare for an interview” stuff. If you’re interviewing at a hospital, you should be able to at least be able to cite the biggest three breaches in healthcare and throw that out in the interview, so I know that you’re abreast of it; talk about why you think that happened; bring up some interesting points. So, you’re saying you’re seeing a lack of that in some of these interviews? They’re not doing any homework to prepare, correct?
Mann: At least that’s what I’m seeing. It’s not about I want them to memorize everything; I just want them to be passionate. I would like the candidates to know the landscape; be able to say this happened last month; this is why it happened. And here’s what I think could have been done differently. And you could be wrong; that’s fine. But at least you tried.
Guerra: I think that’s great to put out there.
Mann: And I’m not looking for certifications; even if you don’t have certifications or degrees, but you’re still passionate and you want to learn more and you express that in the interview. I’d rather give that person a chance.
Guerra: And you want them to ask some intelligent questions, correct? If they don’t have any questions, that’s not a good sign.
Mann: Exactly. That’s one trend. And I think the other trend that I’m seeing is, with COVID, a lot of organizations sent their workforce remote, and so did we. And like others, we lost some of that visibility from a network perspective. So that’s the other thing I’m seeing from a technical perspective toward securing that remote workforce from a cloud –internet perspective. Because not all of that workforce is coming through your network anymore – they’re going directly to cloud-based services, so that’s another technical trend that I’ve seen and it’s also something that we’re working on.
Guerra: In the last few minutes we have left, what’s your parting nugget for your CISO colleagues out there?
Mann: My parting nugget is, let’s be more collaborative. That’s the only way we can all get better. We are all doing great work and the more we share amongst ourselves, the better we can get against the adversary. Keep doing the good work and fighting the good fight.
Guerra: Very good, TJ. That was a wonderful interview and I think it’s going to be great for our readers. I really appreciate it.
Mann: Absolutely. Thank you for having me.