Longo, who feels healthcare CISOs must have a ‘business-enabling’ approach, says going slow and saying no is never an option.
LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE.
I often say we are 10 miles wide and 10 feet deep as CISOs, and then you want really strong leaders who are 10 feet wide and 10 miles deep on your leadership team.
I’ll tell you what the best language is. The best language is numbers, metrics, quantifiable views of the status of the organization.
You need to have your eyes and ears open at all times to what’s going on because there is a problem with shadow IT in every industry.
Guerra: Welcome to healthsystemCIO’s interview with Anthony Longo, VP and Chief Information Security Officer with Baptist Health South Florida. I’m Anthony Guerra, Founder and Editor-in-Chief. Anthony, thanks for joining me.
Longo: Thank you, Anthony. I appreciate the time. Happy to be here.
Guerra: I look forward to chatting. Do you want to start off by telling me a little bit about your organization and your role?
Longo: Sure, sure. As you said I’m VP and Chief Information Security Officer of Baptist Health South Florida. We are a large not for profit healthcare system based in the South Florida region, in the Miami area mostly.
We are in the middle of a massive digital transformation, really focusing on bringing out best in class technology as it relates to clinical healthcare and how we interact with our patients, and with that comes the need for best in class security as a part of that program.
You know it’s been a great first year at Baptist, really just a time to invest in the program and continue to expand our capability and the people, process and technology, and just having a lot of fun.
Guerra: Excellent. I like to ask all CISOs how they wound up where they are. How did you wind up in security? How did you wind up in healthcare, the whole thing?
Longo: That’s a fun question. I’m in year 23 of my career, the majority of it being in security. I always joke that if you found me in the late ’90s in a data center and told me that I would be sitting in board rooms talking about information security to some of the strongest leaders in the country, I would say you are crazy. But here we are and here it is, nobody knew that security would be so critical as a part of the digital transformation of our industry as it is today.
I started out just like everyone else. I was an engineer. I started in help desk and desktop support, network engineering, server engineering and then somewhere around 2002, 2003, I made the decision to do some work in security. I had an interest in it. It was really just working in AV and anti-spam. It was very early days in security back then. Early days of fixed firewalls, ASA firewalls and Trend Micro, whatever. I went to work for an anti-virus company and the rest is history.
The majority of my career has been in retail and hospitality. That has been my primary focus as Chief Information Security Officer but I’m really, really excited to take on something new, a new challenge. Healthcare is at the frontlines right now of attacks across the globe. We’re seeing threats against critical infrastructure day after day and healthcare is one of the most targeted sectors. I want to take the experiences that we learned from retail and hospitality and the breaches of the late 2000s and 2010s around payment and bring them to healthcare.
When the opportunity arose and I heard what Baptist Health South Florida was doing in terms of digital transformation and the support from the executive team for that type of a transformation, both from a digital and security point of view, I was very excited.
Guerra: A couple of things I’d like to go into there. Number one, you talked about the transition from the data center to the boardroom that you made. What would your advice be to those that are still at that data center level but have aspirations to get into the C-suite?
Longo: I think there’s a good mix of technical and soft skills that are required. I often joked with my team: don’t give me privileged access to anything. Chances are these days I’ll break it. To be a good CISO, I think you have to have a wide breadth of knowledge of all of our domains. Make no mistake, information security is a very, very large program today whether it’s supporting infrastructure, applications, governance, compliance, regulations, whatever it may be, right – we have to know about everything that is going on in the organization when it has a technology or a regulatory impact.
At the same point, you have to surround yourself with the best talent that really can deep dive in those areas. We can often say that if we have to talk about DevSecOps as a part of the digital transformation and how we integrate security into those development processes, am I the person that’s going to go in and actually implement a vaulting platform or a static code analysis or whatever it may be? No, of course not. But you have to still understand all those concepts as a CISO to be a part of architectural reviews, project discussions, major strategic discussions.
So one thing I would say as a CISO is never stop learning. You have to constantly stay on top of the industry. It’s not like you get to the C-Suite and then you can say, ‘Hey, I don’t have to worry about technology anymore.’ That’s just not how it works these days. You have to know a little bit about everything that is going on in your organization and everyone else’s.
At the same point, you have to surround yourself with really good talent that can then drive your initiative and your strategic plan in those areas. I often say we are 10 miles wide and 10 feet deep as CISOs, and then you want really strong leaders who are 10 feet wide and 10 miles deep on your leadership team. That’s how it works.
On the other side are the soft skills, you have to be able to communicate with business leaders across the enterprise or clinical leaders in the healthcare space that may not be technology experts – or may think they’re technology experts – and you have to be able to convey with confidence and in language that is understandable the true risk to the organization and why they are real risks.
There’s a lot that goes to that, a lot of it comes with experience and practice, just feeling confident in a meeting room and being okay with saying, ‘Hey, this is what we’re doing and this is why we’re doing it and this is why it’s important,’ and then having the understanding, knowledge and the evidence to back that up. But also as you go through your career – and even if you’re early in your career and you’re still in college or education – taking classes, speaking engagements, volunteering in your community. Those are all ways to get yourself used to public speaking. That’s what you need to do.
When you’re in a board room with 12 board members, outside auditors, legal counsel and whatever else is in the room (it’s not a small room usually when it’s the boardroom) you have to really feel confident and be articulate in your delivery.
That would be how I’d say it – one, stay strong technically but you don’t have to go 10 miles deep. You just need to understand and stay on top of the industry, the threat, the research, transformation, not just in security but across technology. Then on the soft skill side, it’s practice, practice, practice, confidence, and then just know your delivery mechanisms and how to deliver your message right to your audience.
Guerra: Right – you have to understand the concerns of the people you are speaking to. You have to speak in their language.
Longo: I’ll tell you what the best language is. The best language is numbers, metrics, quantifiable views of the status of the organization. When I say to an executive team or the board that we have an EDR, an endpoint detection platform, across the enterprise, that’s great. We went out and spend $1 million on a product, but how do I prove that it’s effective. Well, I prove that’s effective by proving that here’s my asset inventory and here’s proof that my coverage matches within five 9s or whatever the threshold is for your organization on your KRAs or KPIs that we meet those expectations, right.
They understand numbers. They understand thresholds. They’re not going to understand what an EDR versus an XDR versus traditional AV is but they will understand when you say we have bought a best in class solution and it’s covered 99.99% across the enterprise because we’re constantly transitioning assets.
That’s what I would say is, one, use words and language that they understand and metrics is one of the best ways to do that. Two, you don’t have to go in there and be fancy. Forget the acronyms. Acronyms are the worst thing you can do. It goes both ways. Honestly, in healthcare, there are a lot of acronyms in healthcare and as a technology specialist as opposed to a healthcare specialist, sometimes I get lost in the acronyms, with all these committees and all these medical procedures and whatever may be.
I would say avoid the acronym, keep it simple and make sure that you’re really clearly stating what you want to say. Lastly, just don’t go over the top. Not too many words, make it a conversation, make it feel like it’s back and forth. Let them ask questions. Don’t be there to lecture. Don’t be there to just deliver a spiel and run out the door. Ask them their questions – what do you think about what I’m saying? Don’t fill your PowerPoint with a thousand words. Make it short, sweet and make it a conversation so that they can help drive the conversation to what they want to hear if you don’t know what they want to hear.
Guerra: Like you said, you have to be prepared in your presentation, your numbers have to right because these are smart people. If there’s a mistake in there, if there’s a hole there, they’re going to point it out and once they see it your credibility is shot.
Longo: Absolutely. There’s nothing worse than showing one thing on slide 2 says this metric and then slide 8 says this metric. That is not a good thing and then you’re done. Really, metrics are really valuable ways to quantifiably prove the effectiveness of your organization.
Guerra: Talk about the benefits and challenges of you coming from outside of healthcare.
Longo: Yes, absolutely. I would say that there’s great benefit to going outside the industry (to hire), right. If you’re ingrained in one industry, you’ve only looked at it in one lens. When I talk about retail and hospitality and you think about all the payment card breaches starting around 2010, 2012, the big ones. I don’t want to name retailers that have been through it. But we know that was the start of a massive investment in security and maturity in that industry.
If you were a part of that industry, you’ve lived through that in multiple iterations of those program rebuilds, maturity program, getting in boardrooms, maybe for the first time in having to explain to the board what we’re doing, why we’re doing it and why we need investment, and you really learned a lot. You can take those learnings every step of the way and now here we are with another industry, healthcare, which started receiving major threats since 2019.
Well, we’ve been through it. We’ve been through the major breaches from the other side of the world in retail, in other areas, whether it’s finance or government. By taking people from other industries, you can then leverage those learnings to help build programs the right way.
At the end of the day, a framework is a framework, whether I’m following NIST or ISO or if I’m going to worry about HITRUST, whatever maybe, right. To build a mature program with a framework, I can map any program to any number of frameworks. There may be some minor nuances, minor differences but, at the end of the day, a program is a program.
As far as the challenges of me coming from another industry into healthcare and going, ‘I don’t know anything about healthcare. I’ve never worked with a doctor. I sold chicken or I sold rings.’ I would say again, surround yourself with the right talent. I have really, really strong leaders that have been in healthcare for 10, 20 plus years who can then be there for me to lean on when I have a question about healthcare-specific processes or regulations.
You take the knowledge of previously building large scale, best in class security organizations, mixed with talent that has been in a specific healthcare institution or the industry long-term, and now you have a team that can deliver it right.
Guerra: I have a funny question that just occurred to me. I assume in your other positions, you’ve been yelled at on occasion by high-powered users, people that are very influential and important that in the old days probably went into your office and started yelling. Has that ever happened?
Longo: More than once. It’s just part of the job, right? There’s so much to being a security professional. There’s many different types of CISOs and that’s a whole another conversation for another day. I have always been a business-focused CISO, right? The idea is that our security organization does not exist without the business. If the business isn’t there doing its job and caring for patients or selling products or whatever it may be, I don’t have a program anyway. You have to be supportive of your business.
One of my core commitments to the board is about secure business enablement; how are we supporting business transformation through secure technology? Whether that’s supporting digital transformation and supporting agile methodologies in DevSecOps and integrating security into that agile lifecycle, whether that’s supporting all the needs for many, many different types of medical devices and vendors – which is something unique to healthcare that I haven’t seen before – and understanding how we build those standards and assess those vendors and put controls around what they do, whatever it is, we want to reduce the impact we have while ensuring security.
I often say we are not allowed to be slow and we are not allowed to say no. It has to be really egregious for us to say no. If you read my mission statement in every job I’ve ever been in, we always use the word frictionless. What we do, we want to be frictionless. We do not want to introduce friction into the processes of our clinical organization, in healthcare or in any other industry you’re in. Now, is it always perfect? Of course not, but that is the goal of the organization.
Support business enablement through secure business enablement and you’ll win those partnerships. When you get those escalations, assess the risks. What is the true risk to the organization? For example: Okay, it’s running an unsupported operating system but it has no network connectivity. Okay, it’s a stand-alone device. It doesn’t plug into the network. It’s never going to plug into the network. That’s something we can document, talk about, log an exception. Now, if it’s something that talks to the internet, it’s a different risk. You have to talk to the vendor and work it out.
At the end of the day, I would say that you really, really need to be there to support your business, and convince them of it. I do rounds with the CEOs of our hospitals and of the operational side of our business, we say look, we are here to support business enablement through secure business enablement.
There are great opportunities in security to do that and make life better. A great example is identity and access management. Identity and access management is traditionally a security function. There are ways where you can improve security with things like password lists, biometrics, whatever it may be to improve security maturity while also increasing the streamlined procedures and the speed of log-on for our users. So the benefit is two-fold – I’m getting more security out of my system but I’m also making life better for my users.
Guerra: CISOs, just like CIOs, can’t just wait for requests to come to them from the business, but they should also proactively be reaching out to the business with recommendations, advice and suggestions, right?
Longo: There’s two sides of it. There’s the CISO role where you do deal with that. I sit in every executive strategy meeting whether it’s technology executive committees or business executive committees, so I know what’s going on in the organization and that’s the passive side, right. Then I can be responsive.
Then, people are also proactive and reach out and say, ‘Anthony, we’re looking at doing these things; who do I need to talk to? What do I need to do?’ In large organizations, finance has been embedding people into different departments forever, but even in traditional smaller organizations outside of finance, you have architecture functions and you can ingrain security specialists that are focused on business technology into those other teams.
Let’s say it’s in healthcare, you can say that I’m going to have architects that specialize in certain clinical technology or architects that specializes in ERP and operational functions. You can integrate them and I’ve done that in the past where they go to their staff meeting and are regular parts of the conversation and are almost an extension of their team from security to, again, go back to what we talked about a minute ago, secure business enablement. That is the goal at the end of the day.
I would say that it’s a mix. You need to have your eyes and ears open at all times to what’s going on because there is a problem with shadow IT in every industry. Things happen without our knowledge. We need to know what’s going on however we can and try to stay on top of it through education, policy, process and being present.
Guerra: You mentioned you’ve done that in the past; embedding individuals, security individuals, into different operational teams, do you think you might do that here?
Longo: I would like to. Right now, I do have a team of architects. They’re not embedded directly into the teams but they are a team, a pool I can go through and be reached out to in any way. They have their different specialties. Some are better at compliance, some are better at cloud, some are better at traditional infrastructure. I don’t know if we’ll ever be big enough as some of the larger Fortune 100, 200 organizations to have dedicated security architects to an ops team, a digital team, an apps team, whatever it maybe, but I do think that’s the ideal goal if you can get there.
Guerra: You like that. You think that’s a best practice?
Longo: I do. I’m not going to say it’s the right thing for everyone, but it’s the way I’ve had success. Everybody has their own approach. I feel that if you want to be a business-enabling CISO, you need to have representatives from your organization ingrained in those businesses.
Guerra: You mentioned the term ‘business-enabling CISO’ a couple of times, I mean, is there any other way to be successful than to be a business-enabling CISO?
Guerra: What’s the other kind?
Longo: There’s very by-the-book stuff. You could be in regulatory. You could be in military. You could be in many things that are much more focused on strict, strict, strict, this is it, this is it, this is it, but when you are in the business side of security, executive leadership, you have to balance the business needs, the risk associated with those business needs, the threat landscape, the true risk to your organization.
There could be a critical zero day, but if it doesn’t impact me or if I don’t have those versions of that software, then it’s not as big of a risk for me. You have to balance risk, real risks, critical risks. Whereas, maybe other industries that are heavily targeted in military, at war, state action, state-sponsored activity, they may just be like, ‘Look, here’s the policy, there’s no other way. We have air gap network, you have no choice. That’s it.’ But for those of us that are on the business side of security, you really have to support the business or you’re going to fail as a CISO.
Guerra: Right. You can’t be totally risk averse or the business won’t function. You have to accept some level of risk. And it’s not you, as the CISO, who is making that ultimate decision of how much risk to accept, right?
Longo: Absolutely. If a business owner makes a request and we have a real big issue with the request – which is very, very rare that we can’t come to terms with the business owner and a vendor – then it is not on me to make that decision. I am not the business. My job is to assess risks, identify risks and put it out there to be decided on and then document the decision.
We take that up to the executive team and say, ‘Look, this team wants to do this, I think it’s a terrible idea because of X, and we have gone round and round for 3 months with the vendor or whatever maybe and they won’t do it and, at the end of the day, we are at an impasse.’ It’s very, very rare that happens but it does happen. Then the business has to decide, is it worth the risk? After that, it is up to us to do our best to mitigate that risk as much as possible, if they do choose to move forward against that risk.
Guerra: I’ve heard the word you used from other CISOs I’ve interviewed in this same scenario which is: document. If they want to do it, if you said you don’t like it and they want to do it, document, document, document.
Longo: It’s not even about covering yourself but more about having a proper governance written compliance program. All of your exceptions should be documented and approved properly. There should be a documented risk, what is the risk, what are the policies going against, what is the exception, how long is the exception good for, is there a mediation plan, have the business owners signed off, the CISOs signed off, and then the ultimate executive that made the decision? You’re not doing it in an email. I’m just saying, from a governance perspective, you want to make sure you document those exceptions.
Guerra: Right. And maybe the decision to take on that risk against security’s advice is the right one.
Longo: It could be a niche product, for example. One company in the whole world that does it and they know they’re the one company and they refuse to adhere to industry standards around security, you have to document that they will not follow our standards, contractual standards, and they’ve redlined them and whatever, but we still need to do that procedure.
Then, we’re going to say, ‘Okay, we’re going to try to reduce its network exposure, we’re going to segment it,’ whatever we’re going to do on and on and on but at the end of the day, somebody has to accept that risk and it’s not the CISO.
Guerra: Right. Let’s talk a little bit about shadow IT which you mentioned and is a big problem. Why is it so hard to stop it?
Longo: At the end of the day, I would say that there’s two reasons. One, process is difficult. People don’t understand process. People don’t want to follow process. People don’t know how to do things. When you join a new company, for example, I don’t know who to approach, how requisitions go, how do I add a new vendor, how do I add a contract, how do I negotiate red line, who do I send the procurement to, to legal, to supply chain, whatever may be, right, you don’t know. I think that’s one issue – process is always an issue.
Then, two, ‘I needed it yesterday.’ Always the issue. I needed it yesterday. I had this urgent, urgent need. I needed it yesterday and I need it right now or we’re going to lose millions of dollars and I needed it yesterday, and we don’t have time to negotiate security, and we don’t have time to do architectural review, and we don’t have time to stand up secure servers, and it’s going to be a fast application. We’re not going to integrate identities, blah, blah, blah. We need it yesterday, we need it now and if you don’t do it now, we’re going to lose all this money, we’re going to get fined and on and on.
How do you stay on top of it? You have to build practices that are easy to understand, easy to find and easy to follow. That’s a work in progress everywhere you go. I’m not going to say there’s any silver bullet. It is not easy. But if you could put those processes in place and you could get those processes followed, then you can have your risk management teams do those assessments against software, against vendors to make sure that is not shadow IT and we’re taking care of our business.
But at the end of the day, shadow IT is a problem. There is definitely shadow IT in every enterprise. You do your best with different types of cloud gateways and whatever you can to reduce your shadow IT exposure as much as possible, but at the end of the day, we have to do what we can to support our business.
Guerra: I’m going to ask you an open-ended question. What are either the most interesting trends you are following or a few things you are working on?
Longo: I will talk about what is scaring me in the future and what I’m talking about – how’s that? I will say that we know ransomware is a discussion everywhere, in many, many industries. We see it in social media – I track it every morning when I wake up. You asked what it’s like being a CISO? Every morning when I wake up I go on social media and I look at researchers in Europe and Asia because that’s how I get the quickest information, while I’m drinking my coffee, of what’s going on in the world. Is there a zero day? Is there a new threat? Is there a major attack going on, whatever it may be? I would say that’s really critical. Ransomware is obviously something big and we’ve seen ransom attacks against critical infrastructure, to pipelines, to healthcare, whatever it may. We’ve read about companies losing their EMR for months. We read about companies losing their EMR permanently. That’s one side of it. We know about that, servers and workstations and whatever may be.
But we got some information from the Department of Health and Human Services last year about concerns around medical devices. That is something that has really stayed at the forefront of my mind as the FDA is now looking to draft stronger requirements around medical devices and security.
The guidelines that are in place today are not that strong and they are just guidelines. There’s not a lot pushing the vendors other than the vendor’s desire not to be in the news and to be secure, to secure their medical devices that are operating in our environment. I often say to our vendors if there is a breach as a result of your connectivity on your medical device on my network, it’s not going to be vendor’s breach, it’s Baptist breach. It doesn’t matter how it happened. It’s my breach and I’m the one that’s going to have to deal with it and deal with the litigation and the media and everything else.
Vendor devices and medical devices are a huge, huge concern to me as we look at the large number of healthcare devices that are out there that are running old operating systems, unsupported operating systems, being unpatched, not following patching guidelines, not running next generation control such as endpoint protection or segmentation or whatever it may be.
Now, there are ways you can work with your vendors to put those things in place and I highly encourage anyone watching this in the healthcare industry to start drafting stronger language with their vendors, start enforcing that language in negotiations with their vendors. Not every vendor is going to come along but you’ll be surprised, many vendors will.
There are many vendors that are willing to work with you and take your controls – if you feel that you have industry leading controls and services – and put them on their medical devices if they can, or on their servers that support those medical devices, obviously with the FDA certification requirement. But I think that’s where I sit today because where I’ve seen ransomware is on servers and endpoints. What happens if someone gets access to our environment and says, ‘Hey, I have access to 50% of your medical devices (or all of your medical devices of a certain type that have a vulnerability) and I’m going to change (I’m not a medical professional) the dosage of a medication for 50% of them unless you give me $10 million, you have 24 hours to respond.’ That could really cause harm to our patients, clinical harm and impact patient safety. What do you do?
It’s not just about patching and patching and patching workstations and servers, but now we’re looking at third party or vendor risk in medical devices. How are vendors connecting to our environment? Are they using MFA everywhere just as we mandate everywhere? Are they patching their medical devices just like we mandate our internal teams patch their system? Are they ensuring that they have the latest controls and they’re being monitored on their medical devices just like we do on all our assets?
If not, can we put it on there? I would say that is the trend that I think we have heard from the US government. This is not just me throwing it out of thin air. In the medical field with how much patient safety depends on our ability to do our job safely; that is a big risk. That is why we are really focused on ransomware, medical devices and that threat as we continue to improve our maturity across our enterprise.
Guerra: I’m going to ask you one final question: speaking to CISOs in comparably sized health systems, what’s your best parting piece of advice for them?
Longo: Be a partner. Don’t be a hammer. Don’t be an auditor. Be a partner as a CISO, support your business. Support your clinical teams. Support your operational teams. Support your technology partners. The more you support them, the more you assess risk appropriately, the more you ensure that they have what they need to be successful, the more you’re going to be successful because they will ensure you have what you need. When that critical risk comes along, when you need to shut something down, or you need to patch something urgently, they’re going to be more supportive of you.
I think as a CISO, be collaborative. Don’t silo yourself. Be a partner. Focus on business enablement. Yes, we have to follow regulations; yes, we want to follow best practices; yes, we want to do everything we are required to do as leaders and executives; but also be a good partner in support of your business; be collaborative, and that is how you’ll be successful.
Guerra: That’s fantastic, Anthony. I think people are really going to enjoy this. Appreciate your time today.
Longo: No problem, Anthony. I had a great time. Thanks for having me.