James Case, VP/CISO with Baptist Health, says the CISO role is all about understanding and communicating IT risk to operational leaders, and including them in prioritization.
LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE.
“ … my thought would be to ask: is this your interest, what you have an affinity for, what you find yourself reading about on the weekends and at night?”
“I think a key part of my job is to make sure that informed decisions are made based on risk by the right people.”
“ … every organization has risks, cyber risks, whether they’re talking about it or not, or they’re managing it or not, or they’re prioritizing it or not – it’s there.”
“I think humility is a good word, because you’re always going to have weaknesses. So it’s about finding them before the bad guys do.”
“It goes back to ownership and, to me, a big part of my security leadership is making sure that each application, each system, has a business owner and a technical owner, and making sure that they’re not only identified but they are aware of their role and their responsibility … ”
Anthony: James, thanks for joining me.
James: Thank you very much. It’s nice to be here.
Anthony: Tell me a little bit about your organization and your role.
James: We’re a 5-hospital system in northeast Florida, across 4 or 5 counties with many, many doctors’ offices as well, and freestanding EDs. We’re the only locally owned and governed health system in northeast Florida. That’s very nice.
My role as CISO is new. It was a new position created late in 2021which is, I think, a good testament to the investment and the priority that the health system is making in cybersecurity. Because without the role of a CISO, I really feel not enough attention, not enough of the right conversations are happening at the right levels and the right planning and the right identification of pain points. That’s a really key thing that I’ve been thinking about for years.
Anthony: It sort of demonstrates to the organization how seriously leadership takes security by having that role.
Anthony: Very good. CISOs are an interesting bunch. They come from all different avenues to arrive where they do. You certainly had an interesting journey. A few highlights here that you can take us through – you studied electrical engineering. Then, it looks like you sort of bounced around between financial services and healthcare. Tell us a little bit about your journey and how you wound up where you are today and what drew you to healthcare information technology.
James: Good question. I mean, I would say the key parts are project management. Starting at project management, infrastructure project management and really learning – I’d say the entire infrastructure, all the wireless networking, storage, server, applications, nursing hands-free things, really rolling all that out and then, several security projects. That’s really what got me into security about 12 years ago.
Then, 12 years ago, we didn’t have a formal security program, I really kind of took over these three programs which at the time if you said security at Baptist Health, 12 years ago, it would be – well, the team in charge of doing access management, right. That’s really all it was back then. It was less focused on cyber, cyber, cyber.
I took over the team and started really consolidating, bringing in the network security and all the different pieces of security and built the program out and worked with a firm, like FishNet Security, to do a security program review and built out the program, really from there – the policies, the framework, all the governance.
Anthony: Yeah, I’m wondering – a lot of CISOs come out of infrastructure, that’s what we hear. What do you think makes one diverge to either go focus on security or to perhaps more go the CIO route?
James: Yeah, my thought would be to ask: is this your interest, what you have an affinity for, what you find yourself reading about on the weekends and at night? To me, I think that’s really what I have found. I’m interested in technology but I have no desire to be the CIO. I’m happy at this, what I’ll say is kind of the final peak of my career. I’m very happy because I like focusing on security. I think that’s a big enough chunk to worry about and be stressed about on the weekends and at night.
Anthony: Is there a relationship between interest in IT security and interest in law enforcement type issues? Is that related?
James: I wouldn’t say there is but certainly there’s going to be some overlap there. I certainly stay in touch with FBI and DHS on a regular basis, and we share ideas and threat intelligence and strategies and education.
Anthony: You wouldn’t be a cop if you didn’t do this?
Anthony: Would you be in the FBI?
James: I would be doing some other nerd job, some sort of technology, something – yeah.
Anthony: Well, there are more and more a lot of nerdy jobs in law enforcement, right. Either in accounting, IRS, following the money, all kinds of stuff – anyway, kind of interesting stuff. Were you hired by Aaron Miri? He’s a friend of ours and I looked at the timing and he was there a few months before you came on.
James: Not a coincidence, no.
Anthony: Yeah, I’ve known him for many years in many different organizations he’s been at. Did you know him before?
James: I did not. I met him just through his role starting at Baptist and I think people just said, “Hey, call James,” and he did and we had a few calls, and had dinner one night and here we are.
Anthony: Okay. I would describe Aaron as – to me, he’s one of the outstanding CIOs in the industry. I mean, his energy and his passion is second to none. I’ve interviewed many, many CIOs over the years and he’s a very impressive guy. What’s he like to work for?
James: Good question. I would say the word inspirational comes to mind.
James: High energy, inspirational is what resonates every time we interact whether it’s a text, a phone call, a face-to-face or group meeting, having dinner, whatever it is, every interaction I’m left with that thought of yes – high energy, but also inspirational.
Anthony: Right. I know he’s a very security-minded CIO. I’m sure they vary in terms of their focus on security. They probably all have a general interest in security and awareness of it. Like anything else, you’re going to have gradations of their knowledge of it, comfort with it, interest in it. I would describe him as a very security savvy CIO and certainly, inspirational.
I’m sure when you talk to him he is always emphasizing the importance of your role. He probably says things like, “It’s absolutely number one stakes to play, need this locked down.” So that makes you feel good that your role is valued.
James: Right. So maybe add to my description of him: level of support, kind of what you just described is to me a level of support, the importance that being in the right conversations at the right time to identify the risk, and then really, I think, a key part of my job is to make sure that informed decisions are made based on risk by the right people.
Anthony: Right. In terms of what a CISO needs from their CIO, it’s that kind of stuff, it’s support, backing, encouragement.
Anthony: On LinkedIn, you commented on an article about questions that CEOs should be asking their CISOs. Can you just give us some thoughts about that?
James: Yeah, I wanted to make two points there. There are things that people higher in the organization, for example the CEO, should be asking, and it also touches on transparency. Yeah, that article just resonated with me about kind of questions that senior leadership should be asking about the risks to the organization – how are we doing on this, how are we doing on that, do we have any risks here… because at the end of the day, silence doesn’t mean things are okay.
“Leave me alone and just let me do my thing,” is not necessarily the right thing for the organization. And so I think it takes those dialogues, it takes that transparency to have those conversations, to make sure the risks are understood, because every organization has risks, cyber risks, whether they’re talking about it or not, or they’re managing it or not, or they’re prioritizing it or not – it’s there.
Anthony: Right, right. I guess if you’re a CEO, it’s dangerous to just assume that, “Hey I have a CIO, I have a CISO for security, they got that. I don’t need to know about it. I don’t need to ask about it.”
James: That is exactly right on. I couldn’t have said it better.
Anthony: Okay, maybe any more details on those high-level things you want CEOs to be curious about and to sort of inquire about?
James: Sure. Cyber risks – where do we have the highest risks? What keeps you up at night? Those are certain things. Where are we the most exposed? If I could help support you one more way, what would that be? Are we protected against ransomware? Maybe start getting more specific, what are our highest risks for ransomware? Nobody is perfectly protected against it but what is each organization doing to identify their readiness from ransomware safe backups. Could we really restore things if we need to? All those sort of questions should be asked and the information should be shared because every organization has those risks, but how well are they being managed and really mitigated and what’s left on the table that’s risk, is it low enough.
Anthony: Yeah, I’m thinking about a CISO’s exposure to the CEO and the board. What do you have in terms of your exposure? Does Aaron sort of bring you in different meetings and then turns it over to you to explain security issues? Do you ever wind up in front of the board? What do you have going on and what do you think is sort of a best practice?
James: Yeah, that makes me think of a whole bunch of things. Yes, Aaron brings me in all sorts of things. Our CEO, Michael Mayo is very, very engaged and interested in cyber. A really shining example – good timing for this interview – is last week we had a large table top exercise for a cyber event. We had our entire CERT response team there and our CEO was present, our COO, our CFO and more senior leadership for the entire 3-hour exercise.
For three hours, we went through an entire event about: here’s the first call, here’s what we would do, and here’s what we were doing, and here’s what we just learned, all the way through ransomware. Should we pay the ransom? We had those difficult conversations and they were present for the entire meeting. So I think that’s a great example of direct face-to-face questions, lightbulb moments, conversations that we had that we wouldn’t have otherwise.
Anthony: I have heard tabletops are valuable but have their limitations. What do you think?
James: The value from a tabletop is really the readiness and practicing those skills you hope you don’t have to use. Forcing conversations that you wouldn’t have had otherwise. Finding where you can improve. There are a handful of things that you know we need to improve, like making sure we have a really good offline copy of our plan accessible. So the scenario we went through is network down, email down, servers down. So will we have a copy of our IR plan available? Maybe not. That was an action item that really came out of that.
Again, I think those are the main benefits. Also, raising the awareness of risks. We had risk conversations in that meeting with all those key leaders that they wouldn’t have known otherwise. It really helped drive those conversations, raises awareness, provide that education to the team. I think those are the really key benefits. Again, and then action items to improve.
Where to go from there would be doing smaller tabletops with your technical teams. Kind of doing different flavors of tabletops. I don’t think there’s one tabletop that fits all. I believe that what we did last week is the most important tabletop, but then we also do tabletops internally with engineering and also security engineers and going through kind of the technical aspects of a scenario.
Then, I guess maybe there’s breach attacks simulation, where we pay a company to pentest and that, to me, is another type of tabletop-ish exercise where we’re practicing those skills. Can we detect them? Can we prevent them? Those are all, to me, variations of practicing and learning and really preparing for events that we hope we don’t ever have.
Anthony: Can you give me some thoughts on the process of making sure you capture what you’ve learned from those exercises, baking it into a new plan and then doing it again to continually improve?
James: That’s key, but some of the benefit is just having an exercise, that’s a part. Then the other part, as you said, is making sure that we capture all the improvements. What I did is I sent out the notes and I assigned action orders and then some are me, some are my team, some are other folks. It’s a matter of keeping that on the front burner, following up, making sure we have deadlines and then closing that out and then at the start of the next exercise, either making sure that it’s all done and that we’re prepared and we’ve improved and we can find new things to improve on.
Anthony: Talk to me more about the pentesting. This is what we mean when we talk about blue and red teams, and I’ve heard CISOs really rave about this. Now, it takes some humility because a lot of times many things are exposed and you’re there who’s supposed to make sure there aren’t holes. You hire these people and they show all these holes. Obviously, it’s a worthwhile exercise but it does take some humility and courage to be the one that calls them in to expose your weaknesses.
James: Yeah, I think humility is a good word, because you’re always going to have weaknesses. So it’s about finding them before the bad guys do. We can sit back and wait for the attackers to find it or we could pay somebody to help us find it, and even if it’s like oh my gosh, glaring – well, then, it’s high priority and we fix it right away and we retest to make sure it’s closed out and then we look at the lessons learned. How did that happen? What process broke down that allowed that to occur? Did somebody turn on some or expose some application that didn’t follow the right process to do it in the right way, to be validated, approved, tested before it’s out there? All those sorts of things help you figure out where the process broke down. All those things are really part of the value of the pentest.
Also pentest means different things to different people. Anytime in a conversation like this, when somebody says pentest – there’s network pentest, there’s external pentest, there’s internal pentest, there’s web application pentest, there’s mobile app. There are many different types and they’re not the same thing at all, really. They’re all very different in scope and what you get out of it, and you really need all of it to some degree based on the organization if you have those sorts of things and you use those sorts of things.
Anthony: Do you do all different kinds? Can you tell me any more about some best practices and do you use the same company?
At HIMSS that was kind of a common theme across the whole week – medical devices, medical devices – and that many of them still, even the big ones, the big names, are running all versions of software that can’t be updated or won’t be for a long time. Really all you can do as a security leader is to make sure that you have policies and also procedures in place and the networking team is isolating them to make sure that it either cannot talk to the outside or if it does, it talks to only on the port and protocol and IP that it needs to. That’s really what it is.
Anthony: Is that what we call network segmentation?
James: Absolutely, but I would say that medical devices need high priority segmentation, if you will, versus printers which can use more normal segmentation. But if I was going to rank them in order of priority, it would be kind of the whole medical devices first, really.
Anthony: Very good. I want to ask you kind of an open-ended question. You can go wherever you want with this. From a big picture point of view, what are the top one or two things you’re working on or, if you don’t want to talk about that, a couple of the most important trends that you see, that you think are going to be impactful, that you’re keeping an eye on?
James: I would say top key things that come to mind are NIST CSF. We are migrating from kind of hybrid ISO-NIST policy framework and also security framework from 10 years ago to purely NIST CSF. We are going to that standard which is a journey. If you talk to other CISOs, it’s not a one month, six months, even one year project – it’s a journey to get there, and we’ve ranked the program areas, access management, for example, in order of priority where we want to see the most improvement the fastest. That’s one of our key strategic initiatives for 2022 which will bleed into 2023 as well.
Anthony: What’s the relationship between NIST CSF and Zero Trust? Is that a Zero Trust type model or is it very different?
James: There’s no direct relationship although NIST did release a publication on Zero Trust. I mean, the same standards organization has developed or published information on both, but the security framework is the security framework. It’s policy. It really sets the tone for the program. It’s where you really educate folks on: “Here’s the framework, here’s how we’re going to govern things.” It’s about what do you have in place from a procedure perspective and a control perspective, whereas Zero Trust is a philosophy. It’s a philosophy and an architecture more than a framework, if that makes sense.
Anthony: Would you say you’re “picking” NIST CSF and CISOs might be able to pick from a few different frameworks that have been put out. We hear about a lot of different things. If you pick this one, what is it about this one you liked?
James: HITRUST is another popular one. It’s similar. They are all overlapping. There’s mapping between all of them. HITRUST is a little more rigid and a little more I’ll say expensive. It costs more. I mean, not that we’re not spending a fair amount to get NIST CSF deployed.
But yeah, I really think of HITRUST as something that if you are going to go out and be a vendor where you’re offering a service, that’s really where I think it can make more sense. Because you can advertise I’m HITRUST Certified whereas NIST CSF is really the best practice and really speaking to my peers, really most of them are doing NIST CSF, so that really helped kind of solidify that we were going in the that direction, hearing that from peer, other CISOs across the industry.
Anthony: Is this the kind of thing where you get a stamp at some point or is this just something where you say, “We worked towards this, this is what we’re trying to do.”
James: Yeah, good question. There really is no NIST CSF certification per se but there are assessors who will assess your maturity. It’s really about where are you in that maturity on your journey. Are you a level 1, a level 2, a level 3 or 4, right? We have our baseline set and we’ve set our targets for where we want to be in the different categories and really the whole implementation is working our way up to that level for each of those areas of the program.
Anthony: It’s nice to have a roadmap, right, to say, “Here’s what we’re going for, this has been endorsed.” This, I would imagine, is one of the regulatory kind of promulgations where if you adhere to it or show you were doing your best to adhere to it, you’re given forgiveness if there’s an incident.
James: Right. Yeah, it’s about due diligence and making sure that there’s no gross negligence anywhere. We want to make sure we’re constantly assessing, constantly improving. We always want to prioritize and make sure we focus on the highest risk but certainly the balance there is if we change our priorities every day, we might not get anything done, so we have to be careful about any kind of reprioritization. But at the end of the day, it’s about focusing on the highest priority, solving and really mitigating the highest risks and then moving on to the next item.
Anthony: In order to truly manage BCP/DR and incident response, CISOs need to work with operational leaders and know more about the operations of the health system – and the implications of any particular application becoming unavailable – than ever. What are your thoughts?
James: Most of what you just said reminds me of our tabletop last week because we were talking to the incident command center lead, our COO, about that exact conversation about the key applications, radiology, the EMR and so forth and lab and how if those systems are offline, the impact. We talked through, “What if that was offline for a day or two days or a week?” Those exact conversations happened last week and it was during a tabletop. Absolutely, I think the key is ownership.
It goes back to ownership and to me, a big part of my security leadership is making sure that each application, each system has a business owner and a technical owner, and making sure that they’re not only identified but they are aware of their role and their responsibility of articulating everything you just said around what if it goes offline, what are those backup procedures and the downtime procedures and being involved in defining the enterprise criticality of the application. That’s not an IT decision.
James: It’s a business decision all day long.
Anthony: You mentioned the value of the tabletop and how many executives were there. Everyone is busy, but they made the time – that seems so important.
James: To me, everything comes back to risk. At the end of the day, we’re all risk managers. Everything we do is a risk management decision and if they’re not involved, then it’s higher risks. They need to be there to prioritize the risks.
Again, those are really the two things that really come to mind. It’s support. If we had any struggle, I think Aaron would have stepped in and really pushed. I didn’t ask, and he didn’t have to. We didn’t need to go down that road because they were there. They were like, “How can I help?” Again, the organization and the leadership has been really, since I started back in December – “How can I help?”
Certainly, my peers have talked about it and shared stories about trying to get the attention, trying to get the focus from the organization, operationally. That just doesn’t happen everywhere. I’m very fortunate to have the team that I have to work with right now.
Anthony: It must be very frustrating for a CISO if they can’t get that level of support.
James: Yeah, again, it all comes down to risk. I’m sure my team and everybody is tired of hearing me say the word risk 10 times a day. But at the end of the day, we can’t get emotional because otherwise, we’d be crying all day long. We just have to focus on the risk, prioritize and make sure the right people make really informed decisions based on that risk. To me, that’s my one liner for my job, if I had to say it in one line.
Anthony: Risk, risk, risk. Well, you could say it as many times as you want to me. We’re about out of time, James. That was a quick half hour. I really appreciate it. Any final words of wisdom?
James: At the end of the day, cyber risk is business risk. IT is only there to support the business. IT wouldn’t be there without the business. We all need to keep that in mind that we’re just custodians and we’re there to support and partner and that, at the end of the day, when we’re prioritizing where to spend the last hour, where to focus, the business should be involved in that because if the system goes offline, or it breaks and it loses data, then it’s a business risk. There is a possible patient care impact.
Those leaders need to be involved in that. That’s why I’m really passionate. To me, that guides every decision, every conversation, and so that’s really the main thing that resonates in my mind when I think about cybersecurity leadership.
Anthony: All right, James. That’s about all we have time for today. Fantastic talk today. I really appreciate it.
James: Thank you and have a good day.