Published January 2023 –
All CISOs know that during a cyber event — and even on a day-to-day basis — your team is the army at your side, the warriors you and the patients are depending upon. That’s why Greg Garneau, CISO at Marshfield Clinic Health System, doesn’t leave recruiting to chance. He works with his HR department to go after regional college sophomores for internships, with the express purpose of preparing them to join his staff upon graduation. In this interview with Anthony Guerra, healthsystemCIO founder and editor-in-chief, Garneau talks about how he recruits and retains valuable staff in this era of ransomware. Located in a rural area, Garneau flashes best-of-breed technology at them (which offers the promise of learning multiple applications), then gives them real projects to boost esteem and morale. “There’s a real talent war out there,” he says. “Cybersecurity folks are being offered significant salaries to jump from place to place. So talent retention and talent acquisition are on the top five of my risk areas.”
LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE.
“People talk a lot these days about how we have to work differently, and we have to start thinking outside the box. Well, there is no box; you just have to start thinking in ways you’ve never thought before.”
” … we look at solutions that bring in more automation with less need for people to touch keyboards on it. It’ll funnel really important data to us, not just death by alert. We don’t want all of that white noise.”
“You can’t take on all of this yourself. No, it’s just not possible. There’s not enough time in the day and not enough bourbon in the bottle to be able to do that.”
Guerra: Greg, thanks for joining me.
Garneau: Happy to be here today, Anthony.
Guerra: Thank you. Excellent. Greg, can you tell me a little bit about your organization and your role?
Garneau: Sure. Thank you for having me. Again, this is a great opportunity for me to talk a little bit about what we do here. So the Marshfield Clinic Health System is an integrated health delivery organization located in central Wisconsin. We’ve been around for over 100 years. We were founded in 1916 as a clinic, very much like Mayo or Cleveland Clinic. We’ve now since gone into the acute space as well. So we have around 60 clinics in central Wisconsin and the Upper Peninsula of Michigan. We have 11 hospitals. We have a research institute, a health insurance plan, all of which fall under my purview as CISO.
Guerra: Aren’t you lucky, right?
Garneau: Keeps me hopping every day. We’re dedicated to rural healthcare and serving underserved populations. So it’s a really great mission we have here.
Guerra: Excellent. Can you tell me about how you came to be where you are career-wise? What was the evolution of Greg Garneau winding up as a healthcare IT security expert?
Garneau: Well, , it’s like most folks. You start out in IT at some point. I’ve been in IT since the mid-90s. Starting really early on turning wrenches, building computers, managing endpoints, that type of thing, then moved into all types of engineering architecture, and then got into network security in the early 2000s. Then I really got into cybersecurity and managing cybersecurity for almost 15 years now, so transitioned to working in a commercial clinic health system in 2015. And took on the CISO role in 2016.
Guerra: So you started out going down the engineering architecture path. Do IT people, at some point, pick between going down the architecture/infrastructure path versus the user-facing application path?
Garneau: I think at the time, that’s really what my focus was. I wanted to be more on the engineering side of the house. And in the systems side of the house, we see a lot of that; a lot of the folks on my team started out in that, as well. But there’s been I think, in my opinion, a shift. Given the lack of talented cyber folks, you’re not looking necessarily for a systems engineering background or an applications background. One of the things that we look for these days, when we’re looking for staff, is someone who has the — call it the attitude and the acumen. If you have the ability to learn, the curiosity, the desire to do this work, and the understanding of the concepts, we can turn anyone into a cybersecurity professional or warrior, as I like to say.
Guerra: I’ve heard that from other folks, from other CISOs, and it sounds like what’s going on is the lack of workforce availability for the specific talents you’re looking for. The messaging from CISOs out there is intended to stop scaring people away who may have been scared away because they didn’t have the certifications and didn’t have the background, and CISOs are saying, “Hey, we need you. We’ll help you out if you have these qualities.” And I’ve heard that curiosity is a very important quality, you have to be a problem solver, a curious person who wants to learn. And then I’ll take you in and we can work with you. Does that sound right?
Garneau: Yes, I absolutely agree. And one of the things that we also focus on here is, I call it building our bench. So we start in the colleges and universities in our internship program and recruiting folks there. In fact, we’ve had a very successful relationship with the University of Wisconsin, Stout, which is the state’s only polytechnic university. They have courses on development and infrastructure and cybersecurity (they have a very good cybersecurity program there). So we’re also looking for talent there. It’s one of the things that I think we all struggle with in this role, is the ability to find talented people who we can bring in and help us with our cyber-defense and our mission.
Guerra: Let’s talk a little bit more about that. And let’s see if we can give any advice to CISOs out there who are intrigued by this internship concept. Is there any advice you can give on how to move that forward; any key people that the CISO would want to work with internally in the health system to get that moving, and any other advice for a CISO who says, I want to avail myself of something like this?
Garneau: So one of the things that we have done, and we’ve done it for a very long time here at Marshfield Clinic, is we understand the value of finding folks who live in the state of Wisconsin and who want to come work here. And the interesting thing is, pre-COVID, we had an even harder sell, moving to Central Wisconsin – for a lot of folks coming straight out of college, that’s not the desired state. They all want to go to the big city and do all sorts of fun things. But we use best-of-breed tech. And that’s another draw for these folks. Leadership has signed off. You need your leadership to really understand the need and understand your program and your message that we’re going to continue to need to find talented folks.
So we have to reach out in places we’ve really typically not done before. And starting in colleges and universities, and getting folks introduced to the Marshall Clinic and our mission, I think, has been very helpful. So you need to have contacts with your local universities. You need to understand what they’re teaching, as well. So where are the programs in your state in the universities that align with what you’re trying to accomplish? So computer science, if they have cybersecurity programs, I mean, it’s always great too, again, the ability to get people early and start them in your program. So we typically bring juniors in, so we have two summers with them, if they’re really good. So then by the time they graduate, they’ll have a really great understanding of our program. And if they wish to come to work for us, that’s great. And we’ve already got trained students who now become trained professionals, or I mean, real professionals in our field.
Guerra: So is step one for the CISO to go to HR and have a conversation with HR and say, “Listen, I’m having a little trouble finding the talent I need. I know this is a route other people are taking; what do you think about this? How can we move this forward?” You’re not out there yourself calling colleges, right? I assume there’s some partnership with HR.
Garneau: There is. So HR is definitely involved. And they have a whole team of people who go out to colleges and universities for job fairs. Not just for IT, but nursing and a lot of the other skilled trades that they have. So ensure that you’ve got great buy-in from your own leadership; that’s the first step. Then partner with HR, and then once HR identifies universities that might be a value, then start reaching out to the deans and the program directors at the different universities.
Guerra: And are you doing much of the direct outreach there?
Garneau: I think it’s important that you know who these folks are. You have to have a relationship with the universities. I think it’s a mutually beneficial relationship. Not only can they help steer students to you, as a cybersecurity leader, but you can also go to those universities and speak and encourage students to get into the field and excite them about the opportunities that you have. And a lot of the students, they’re all about, “Hey, I want to do Red Team/Blue team, I want to be a pen tester, I want to do all these really cool and exciting things.” But you can also then in talking to them, let them know that there’s a whole host of other exciting cybersecurity careers that you can have that actually serve a purpose and a benefit, a greater benefit, like medical device security.
Guerra: Okay, I just want to make sure the listeners understand that they can’t just make one call to HR and walk away. This is something you need to manage, get involved in and put your arms around. I’ve seen quite a few CISOs posting jobs on LinkedIn from their own personal profiles. So that seems to be a trend where, and again, the sentiment you touched on was expressed to me previously, which is, “I know this stuff better than HR, I know what I’m looking for. I know what profiles I want to see.” If you have a pretty good network, that thing is going to get read and shared over and over, so you really could get quite some significant exposure. Is this a good idea?
Garneau: Absolutely. I completely agree. People talk a lot these days about how we have to work differently, and we have to start thinking outside the box. Well, there is no box; you just have to start thinking in ways you’ve never thought before because the need is so great to find staff, and to bring people into your organization who can help you do the work that’s so vital in ultimately protecting our patients in our system. So whatever means that we can use to get the word out that we’re looking for staff, we’re looking for people to come and join our team, we have to use. It doesn’t mean you just have to start with HR. HR isn’t your funnel. You can do lots of different things. Ultimately, you may have to go through HR, but if people are reaching out to you individually, then you can just direct them straight to your company’s website to start filling out forms and then the process kicks off.
Guerra: Right, right. We’re talking about the people shortage, the workforce shortage. There are tons of tools out there; brilliant tools. One of the sentiments I’ve heard expressed from CISOs is I don’t need another tool that gives me information that I don’t have the resources to follow up on. Right? I don’t want alert after they’re alert. So I want the complete package. But if you’re talking about a tool with managed services wrapped around it, if you’re doing the follow-up work, that’s more interesting. Is that what’s going on?
Garneau: I believe it is true. I certainly do. I know of others who have gone the managed services route. We have not. We still are doing a lot of that work ourselves. But I think there’s a space for it, I think there’s a spot for it in organizations, the issue becomes one of cost, right? Cost is always a factor these days in determining what solutions or what service provider, managed service you’re going to go with.
I think one of the things that we have done looking for tools that we’ll bring into our organization — it’s not just, “Hey, give me another bright shiny box,” as you pointed out, that’s going to do all sorts of things that I really can’t take action on or operate. So we look at solutions that bring in more automation with less need for people to touch keyboards on it. It’ll funnel really important data to us, not just death by alert. We don’t want all of that white noise.
I call them force multipliers. You bring in solutions that will act as a force multiplier for your staff. It doesn’t require you to go out and get an extra FTE just to manage that solution. So we’ve been doing a lot of that; looking for efficiencies in solutions so we can focus staff effort on more important operational or other security program initiatives as opposed to just jumping at alert after alert.
Guerra: Right. When we talked about managed services, the way you expressed it almost sounded like an all-or-nothing type thing. Is that what you meant or can you do small pieces of your operation and say, “Alright, this piece, we’re going to outsource but we’re going to keep the other stuff?”
Garneau: Oh sure. You can certainly, it’s not an all or nothing proposition for sure. And there are times, in fact, we’ve been looking at solutions recently that would make sense for us to partner with, to help our organization. So I certainly believe there are opportunities across the board from complete managed service end-to-end to just as you mentioned, just a portion of what it is that you’re doing for your business.
Guerra: I’m going to ask an open-ended question and see where you take it. What are the one or two most important trends that you are looking at that you are trying to position your organization to be ready to handle?
Garneau: I don’t know of any CISO who I speak to on a regular basis who isn’t concerned about business continuity and ensuring that the dreaded ransomware that is out there won’t impact their organization. What are your plans, what is your time to restore — all of those things. I know, as an organization, we have spent a significant amount of time and effort ensuring that business continuity, downtime, all of the things that people talk about: backups, restoring, planning. All of the things that people talk to us about in terms of good practices we have been looking at on that side of the house.
And we’ve also spent a significant amount of time looking at medical device security and ensuring that that ecosystem is as safe as we can possibly make it. The days of non-connected devices are way over; they’ve been over for years. So it’s now interconnected medical devices, where each node is a potential threat. So anything connected to your network on the medical device side could be a problem. So we brought in tools that will help us manage that risk, identify devices that are vulnerable, and then we work to remediate it.
So those are two very big issues that we’ve been dealing with. Now, obviously, throw a third one in there, and I’m going to go back to staffing. There’s a real talent war out there. Cybersecurity folks are being offered significant salaries to jump from place to place. So talent retention and talent acquisition are on the top five of my risk areas.
Guerra: Well, let’s talk a little bit about talent retention. I mean, money is money, but let’s take that off the table, you’re going to pay people as well as you can, you’re going to do what you can do. Now beyond that, do you have any particular strategies you might recommend to other folks for how to keep your people happy?
Garneau: So one of the things that we do as an organization — we obviously have folks who are specialized in certain aspects of our cybersecurity practice — but we also have times we set aside for learning different aspects, something that you don’t necessarily do on a day-to-day basis, but we have members of the team talk about it and encourage others to get more involved. I think one of the things that we run into is some of the junior level members of the team, we need to mentor them, we need to encourage them to stay excited. And we need to give them more responsibility. So I do that as well. So you give them projects to complete that are not just throwaway projects, these are real and serious projects. So it’s encouraging folks to learn more — it’s that curiosity factor I was talking about earlier.
And also, we’ve been doing these things with talent profiles. What is it that you want to do with your career? And then, you start aligning their desires to their career. And it’s one of those things that keep folks excited about the work. And ultimately, you’re going to get them to stay longer because they really enjoy what they do. And as you point out: the money part is the money part. But that’s not the whole motivating factor, the driving factor for most folks. And we also want to have a good working environment — a very collegial, collaborative team-focused, team-centered environment.
Guerra: I think the talent profiles you mentioned, finding out what they want to do, is definitely the way to go. Because it’s not a one size fits all, right? I mean, you want to go this way, you want to go that way, you want to move up, you don’t want to move up, right? You want to deal with customers, you don’t want to deal with customers: Okay. I want to make you happy. I mean, we don’t want to get fixated on forcing people out of their comfort zone. “Everybody needs to get out of their comfort zone!” Well, that’s not a recipe for making everybody happy. Right?
Garneau: We’ve had folks who are hood up, hands on keyboard, “Leave me alone, I’m getting things done, I’m happy.” And you want to throw them in front of a group to speak? That doesn’t work. We just know that.
Guerra: They resign, and then you say, “Why do I have a talent retention problem?” And so you told me about it being a collegial environment. Everything isn’t always roses. If you study leadership, one of the biggest problems is a leader who doesn’t remove a problem, right; if you let someone who’s not good for the team remain. So if you want a collegial environment, you have to take care of those issues, correct?
Garneau: Oh, absolutely. I mean, you’re not walking in every day expecting rainbows and unicorns. First of all, it’s a fast-paced world, constant change, constant threats, we’re driving hard. But when you build a cohesive team, right — it’s small-unit cohesion tactics that you need to bring into play. If there’s a problem, you’ve got to deal with it quickly. So the problem’s identified, action taken, and the team understands that we’re back to a good state.You have to address those. And what’s really good about the work that we do and the folks that we have is I don’t identify and have to deal with it, sometimes. The team, the leadership team, will say, “Hey, we’ve got a problem.” And I’ll find out about it, and they’ve dealt with it in a way that makes perfect sense. But I like allowing people to make decisions. So it’s about distributed-leadership theory, where we empower the team to make decisions. Also as it relates to how the team interacts with one another, we let the team lead often take the lead on helping to remediate. Obviously, if it becomes a much greater problem, I’ll jump in, and have in the past.
Guerra: I would say, and I’m guessing you agree with this, I would say one of the biggest satisfactions you would get as a leader is when you find out after the fact that a problem had occurred and been resolved without your even knowing about it.
Garneau: Oh, absolutely. I mean, positive outcome without my involvement — it makes you proud more than anything. It’s reaffirming that the folks that you brought on board and the reason you brought them on board were sound. It’s been validated that they are great folks and you can count on them.
Guerra: And I’m thinking that perhaps a good message leaders should get out there to their teams is, “Hey, this is great. If this happens, you don’t have to tell me everything. I don’t need to know everything until maybe after the fact. But if it’s handled without me, that’s super, that’s even better.” They need to know that right?
Garneau: Oh, absolutely. Yes. Like I was saying, you have to have that culture of decentralized leadership where you empower your folks on the team to make decisions. And even if it’s a wrong decision, that’s okay, I’ll be told about it, of course, and I’ll have to come in and we’ll have to resolve it. Empower folks to make the decisions and nine times out of 10, they’re going to be the right decisions because of who you brought on board. So yes, those are the messages that are important that people realize. You can’t take on all of this yourself. No, it’s just not possible. There’s not enough time in the day and not enough bourbon in the bottle to be able to do that.
Guerra: That’s great. And as you mentioned, if they do make a mistake, I think one of the more delicate parts of leadership is addressing that without making them gun shy, so to speak, that they don’t want to make a decision again, right? It’s like, “Okay, I do have to address that. I don’t think this was handled perfectly.” But I need to address it in a way that they will be willing to make a decision again.
Garneau: Absolutely. You can’t come in heavy handed, you have to encourage them to own the mistake and fix the mistake. And you can, those are coachable moments. That’s what you want to be able to do. Coach; not break.
Guerra: Let’s talk a little bit more about the business continuity planning, one of the issues that I’ve really just drilled down on in my mind as an interesting area, almost a gray area, is the CISO’s role in interacting with clinical leaders to work through a scenario during which the organization has to go to paper. How does that get worked through and who takes the lead?
Garneau: So the first thing I would say is, this is not just an IT thing, right? First and foremost, we have obviously a very, very vital role in this from an IT and a CISO perspective. But the business, the leaders of the business, the clinical care leaders, they have to be engaged. And we’re doing that now, where we just engage all of the leaders, so we have tabletop exercises with leadership across the entire system. At each location, we have tabletop exercises, about what exactly happens when boom happens. When that occurs, what is your job?
And we talked to them about what could happen; the loss of all technology, and you’re back to paper — Stone Age stuff. And we’ve learned from a number of different events over the course of the last two-and-a-half years that it’s so important to get out in front of this early, and make sure that when this happens, people know what their downtime procedures are because patient care is impacted. This is about patient safety. All of this really is. It’s a cultural shift that has to occur in an organization. And the leaders need to understand where that folder is, the binder is, that has the procedures. Everybody in every department needs to understand what that is. It’s not just, “Oh, yeah, IT will fix it. We’ll be back up in a couple hours.” I think we all know; ransomware events are significantly more existential.
So it’s partnership with the clinical side of the house, its partnership with our emergency management folks. So we have a whole group of people involved in the planning and the exercising that isn’t just IT. It’s using what we learned from COVID in terms of having emergency management or our different committees that get turned up in the event of emergencies. So we’re using some of the things that we learned there for the ransomware events and the planning. So it’s not just an IT issue. It’s not just the CISO looks at it. But it’s everybody in the health system from the CEO on down needs to understand what these events actually are where you’re actually back to paper charting. How do you read an X-ray? Or how do you move images? Well, you don’t. It’s all of those things. And the people in radiology need to understand that. So it’s a really interesting dynamic in some of our first exercises, the looks of shock and fear on the faces of the others. It was definitely eye opening for them.
Guerra: Who is convening the exercises? My concern for health systems is that it’s not an IT problem. It’s not a clinical problem. It’s a bigger picture organizational problem. But I would suspect a lot of CEOs are not thinking about this, so I get concerned that, at some places, it may be falling through the cracks.
Garneau: Well, you’re absolutely right. It’s not something that people think about in small rural systems. The kinds of systems that we are around, they don’t have the staff, they don’t have necessarily the training to do this, or they’re worried more about operational issues. And then all of a sudden you get hit with a ransomware event and you’re done. We have taken the approach that it is a collaborative effort. So it’s the CTO, it’s the CIO, it’s the CEO, and the entire C-suite on the health system side, who has made this a priority. So you’ve got to start there and make it a priority. And then you’re able to bring in all the various groups to have these exercises and surface this information to them. But it’s a struggle. We’re lucky in our organization that we’ve got complete buy-in, but to your point, there are lots of other organizations where people may not be taking this as seriously as they should or have the capacity to do it.
Guerra: We’re just about out of time, I just want to give you an opportunity for a final piece of advice. Picture someone in your position at a comparable-sized health system. What would your best piece of advice be for them?
Garneau: I think one of the things that we talked a lot about are the people that work with you. Your staff is the most valuable asset you have. And it’s important for you to continue to nurture good relations with them, opportunities for them to grow, as well as bringing in new talent. The threats that we face are not going away anytime soon. So you need a dedicated, quality group of people to assist you with your mission. So I would recommend reaching out to places you never have before, go to the universities, go to the tech schools and start building those relationships so you’re not caught without having the staff you need to support your mission and protect your patients.
Guerra: Wonderful. Greg, thanks so much for your time today. It was a wonderful interview. I appreciate it.
Garneau: Great visiting with you today.