Though he’s just coming up on his one-year anniversary, Geisinger Health System CISO Zack Gable sounds like an executive with many more years leading security under his belt. That’s because Gable knows his job is about “business enablement,” or empowering clinicians with the tools they need to provide superior patient care, rather than putting the organization on lockdown. Of course, doing so securely is where the rub comes in and that’s why CISOs get paid the big bucks. It’s walking that fine line or balancing empowerment with enforcement, and that more and more involves getting talented niche vendors up to snuff on cyber. In this interview with healthsystemCIO Founder & Editor-in-Chief Anthony Guerra, Gable covers these issues and many more.
LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE.
- Budget Cutting Keys
- Managing Managed Services
- AI Versus Automation
- Battling IT Shadows
- Communication is Key
- App Rat
- How Health System CISOs Have Become De Facto Vendor Consultants
- Talking Business Speak
Anthony: Welcome to healthsystemCIO’s interview with Zack Gable, Chief Information Security Officer with Geisinger Health System. I’m Anthony Guerra, Founder and Editor-in-Chief. Zack, thanks for joining me.
Zack: Appreciate you having me on the podcast, Anthony.
Anthony: Let’s get right into it, Zack. You want to tell me a little bit about your organization and your role.
Zack: Yes, Geisinger Health System – we’re an integrated health system based in central northeast Pennsylvania with a couple different arms. We’ve got care delivery, an insurance plan, an academic arm, research and innovation arms as well. We’re growing in various parts of our business and that keeps us on our toes.
Anthony: Excellent, Zack. I’m going to start with an open-ended question, see what’s on your mind. What are either some of the trends you’re watching, things you’re dealing with internally and sometimes it’s not technology, sometimes it’s a governance thing, it’s a policy thing, but what are the main things that you’re thinking about today and working on?
Zack: Yes, I think if you look at the healthcare industry as a whole, and as we come out of the pandemic, the industry as a whole is seeing pretty hefty headwinds and obviously, Geisinger is not immune to that. When we think about the technology side of things, the security side of things, we’re really in a spot where we want to continue to be able to enable the business to digitally upscale and grow with the idea that technology is going to help some of that business growth, and with more technology comes the need for more security.
The goal is to continue to strike that right balance, make sure that the security function is present to support business enablement and to support secure integration and implementation of technology that’s ultimately going to improve the business overall or enable the business overall.
Anthony: Right. With headwinds, you’re talking about tough economic climate, cutting budgets, things like that?
Zack: Exactly. It’s no surprise if you look in the last two to three years, pandemic driven, whether it’s labor issues, labor cost, supply chain cost – it’s very much all of the above.
Anthony: Budget cutting. How does budget cutting trickle down to you? Do you get formally asked to cut a percentage of your budget? How do you cut fat without cutting muscle or bone?
Zack: Yes. Look, I think when you’ve got these tough economic times, we’re all on the same team and we’ve got to do what’s best for the organization, and so we all play a part in that. When I think about how that translates to a cybersecurity function, there’s a couple of things that come to mind. It’s first and foremost, making sure that you’ve got vendors that frankly serve as partners – it’s got to be a two-way conversation and you’ve got to push one another to do more to make sure that you’re driving every ounce of functionality out of a tool or a platform, making sure you’re getting what you paid for.
I think the second piece to that is I’m looking for an organization that not only has the appropriate support model but also technology that’s going to help enable what we need to do. That’s again, a two-way street. It’s looking for that partnership and giving us the opportunity to bring the right technology to the table that meets the functional purpose we have, but also making sure that it gives us the opportunity to integrate our security technology stack where appropriate, and when we have the ability to integrate, we can do things smarter, more efficient.
We’ve heard a lot in the space, right now, talking about automation and I think that’s an area where we can help with some of those budgetary challenges in the way we use our tools and technologies and frankly, react from a cybersecurity point of view a little bit smarter.
Anthony: Do you see managed services as being a tool that CISOs can avail themselves of to help with staffing and budgetary challenges?
Zack: Yes, I think that model has been around and I think given some of the constraints we have that model makes sense in some cases. I think it’s being explored more and more, to your point. You have to think about what functionality, what processes does it make sense to outsource and have a third-party support. I look at that and say that’s an opportunity to allow our internal people to spend more of their time on things that require critical thinking as opposed to repeatable mundane tasks, frankly.
You look at what managed services are off-boarding, but it also goes back to my comment around automation. Some of those managed services are providing that automation on your behalf which is where you reap some of those benefits.
Anthony: The idea of automation and AI, are those very different in your mind? Two different things, right? Automation is more basic, as you said mundane, things that can be accomplished. I think that’s real.
Anthony: Some of the AI stuff that’s out there and may be not ready for primetime.
Zack: Yes, it’s interesting. I’m chuckling a little bit, Anthony, and totally agree. I think there’s a need to almost level set and redefine automation versus AI, because I do think at times, while both are fascinating, those technologies or associated platforms get intertwined but I agree with the way that you’ve broken that down. I look at automation or robotics processing automation down at its core – it’s training a piece of software to do something that a human could do. That’s where, in my brain, I think about repeatable tasks that we can go train something to do.
AI and some of the recent buzz in that space, I think it’s fascinating. I think it could really help the industry as a whole. I think with AI and some of these web-based platforms that we’re seeing, they’re exciting but they do come with a fair amount of gray. I think the industry is quickly exploring, how do we leverage these platforms to our advantage to help drive our business but also do so in a way where we’re not taking undue risk.
Anthony: Lots of clinicians want to try AI, and when you combine that with cloud, they can do so sometimes without involving IT. I know CIOs and CISOs have ways to detect when those things are going on, but it would be better if they came to you first in a formal governance process, right?
Zack: I think when you get new shiny objects, there are people, it’s just in their DNA, they want to go play, and I’m one of them. The way I think about that and whether it’s AI or something else, I will always look at people – when we think of a security program, people are the first line of defense. When we think about the usage of these platforms and how somebody is using them, what data they’re putting in these platforms, I think it all starts with training and awareness.It’s making sure people know that the impact, if you will, of what they’re about to do when they go put things out in these platforms.
You look at the course of a security function and security as a whole has really evolved from no, to yes but.Our job is to securely enable the business such that the business can excel and grow and meet the business objectives outlined by the organization. To me, that comes back to how do we build relationships with folks, how do we understand their use cases, their needs that we can apply critical thinking and think about how do we enable folks to do what they want to do, whether to play in these AI platforms or something else, making sure they’re aware of our concerns and working through them together.
I think that’s what it really boils down to – it’s collaboration, it’s making sure that you understand each other’s perspectives. You’ve got, in your example, a provider that wants to do something in these platforms to gain what’s likely to be business value for them and then you’ve got somebody like myself who is concerned about the data and whether that’s organizational sensitive data or patient data. I’m concerned about protecting the data. Like anything, it’s striking the right balance but I think that starts with sharing perspectives and making sure that people understand the different angles that people are thinking about these things from.
We found some success in getting out there, awareness and communication, making sure people understand the challenges we face on some of the stuff. I’m belaboring the point, but awareness and communication is, in my mind, one of the best investments we can make.
Anthony: I totally get it. You want to empower and encourage, but you don’t want to keep finding things on the network because that means there has been a period of risk to the organization. You don’t want lots of shadow IT. How do you reconcile those things?
Zack: Yes, look, it’s a really interesting challenge. At least from my perspective, if you look at shadow IT and you’ve got people procuring services with a corporate card or what-have-you, you have to take a step back and ask why is it happening? Is it that we don’t have something, that something being some type of platform or technology enablement today that said individual could use or leverage? Is it hey, maybe we have something but they’re not aware of it? Or is it hey, if they want to bring something new to the table for the organization to consider, the time to do so is too long.
I so think we’ve come a long way when we started talking about cloud a few years back, shadow IT was very, very big. Don’t get me wrong. It still exists and it’s still a challenge and concern but I think we’ve come a long way. I take a step back, Anthony, and think about why would people be taking a back channel approach to go procure whatever cloud service. This may be unfair on my part, but I think it’s probably time to onboard.
It’s all about balance. To your point, when we have things like shadow IT and we have people taking those steps, we still need to run those down because, ultimately, it’s a concern and a risk for the organization and expands an organization’s overall cyber risk profile. There are ways to find it, whether it’s going and looking at corporate cards and identifying the various different cloud outlets that are getting hit in the corporate card or using our technology stack to look at web traffic and what’s going to the cloud. You can definitely drive your cloud usage or your cloud footprint to find those things.
We were talking a little bit before we started about data driven risk management. This is another great example where you can use data, go capture data to tell your story around shadow IT. So I think it’s a little bit of both. We’ve got to continue to use the data to figure out where do we need to go have those conversations and understand the why, not totally shut people down, but understand the why and maybe help course correct or maybe listen, maybe we need to be doing something differently to enable the business.
Anthony: Great points. If you improve the security department’s performance so it’s no longer the place requests go to die, you then have to let the organization know that things are different so they start bringing requests again, correct?
Zack: It’s a really interesting question and I think the other challenge – and I’ll give you my reaction – but I think the other thing we need to think about is we talk about how do you communicate, emails or digital signage – and I was actually having this discussion earlier this week, albeit on a slightly different topic, but the theme is how do you get a message out to the organization?
So you’ve got providers and caregivers that are literally working with patients, they don’t have time to pull out their phones and check their email or log in to their workstations. One of the things we hear a lot about is providers are just being overloaded with email. It takes away from patient care. We’re in the business of providing great care to patients. So we’ve got to think differently about how do we go touch these individuals.
Back to your question, Anthony, I think about – again, we have to step in the shoes of a provider and understand what’s the best way to get a message out, because I think the historic ways of blasting people with email, it works at times but I think we have an opportunity as an industry to be more creative in how we communicate with the end users and ultimately, we are here to enable. We’ve got mechanisms where we have weekly communications with providers.
The other thing that I’ll share that we found some success in is having steering committees with different providers where we can relay something, whether that’s new technology, whether that’s talking about risks. But I think it’s trying to find avenues or outlets where you can have these discussions but have a two-way discussion. I think it’s important to allow the providers to ask questions where you send something out via email or notification, somebody might email you back and respond but I don’t know that that’s the best forum for somebody to react and ask that second and third question that gives them comfort about what it is we’re trying to achieve.
Anthony: You talked about providers. Those are a huge component of you users. Some could argue the most important customers you have. When they do provide feedback to you, is it all about speed around security. It’s all about I don’t want to have to log in 10x, this multi-factor authentication slows me down. Is it all around speed or are there other concerns they have when it comes to security?
Zack: I think the general feedback that I see is it’s primarily speed. If you bubble it up, it’s speed and throughput. These folks when they come to the table, again we want to hear their voice. We’re here to enable them and help do what they do in a secure manner. It’s speed and making sure that if they need a widget, we can get that widget to the table for them to use in a very timely manner that’s ultimately going to provider better, or help impact, patient care.
Anthony: Right, right. That widget makes me think of application rationalization. It’s not a quick yes, right, because organizationally we don’t want to do that. We want to make them happy but we don’t want to do that because that might not be right for the enterprise. Application rationalization is a huge thing these days. It dovetails in with headwinds, economic downturn and just sensible business practice and it dovetails in with security because the tighter our family of apps, the more we could keep an eye on them.
There’s a lot that goes into asking for a widget these days to make sure it’s right for the organization, but you have to marry that, like you said, with the speed and responsiveness and, if you’re going to say no, it has to be a good why – we already have it, it’s not a secure tool, here are some alternatives that are more secure. Take me through that from an application rationalization, from a security point of view.
Zack: Yes, it’s been an interesting journey when we think about app rationalization in the healthcare space because, to your point, there’s business value and bottom-line dollars that can be saved by going through that process. I think one of the things that I’ve observed and, full disclosure, I obviously have a vested interested from a security standpoint and I love the way you frame it – we rationalize applications. We shrink our footprint a little bit and in turn we gain security value by doing that.
One of the things that I’ve observed that I think is really an industry challenge and we were talking about this in that conference I mentioned a couple of weeks ago. When you think about app rationalization and applications, especially on the clinical side that enable our providers to do what they need to do, we’ve got varying levels of what I call application maturity, and associated vendor maturity in the industry. And from what I’ve seen, I think the industry has made a fair amount of progress in a short period of time as we’re thinking about app rationalization. But I think pretty quickly here, my suspicion is we’re going to come to a fork in the road because we’ve got vendors that we’ve worked with historically that put them in a smaller mom and pop type shop bucket that provide us service to enable our business and they’re really good at the service they provide us but because they’re small, they’re less mature, when we start to think about things like security and risk, those had been, frankly, afterthoughts.
One of the things to round this one out, Anthony, that I see with app rationalization is we’ve made a lot of good progress but now we’re getting into the buckets of some of our smaller niche players where if you look at the market and assess the market, there’s only one or two players in the space. When you start to – people like myself come into the conversation and start to talk about vendor risk or security risk that those vendors pose to the organization, it’s a difficult conversation because if you tell somebody hey, you can’t work with this vendor, they’re going to come back and tell you well, I’ve got no option. This vendor enables our business process and we need this vendor to be successful. That’s a snippet of where I think we’re going.
In terms of the next phase of app rationalization, we’re going to have to put our heads together as an industry and really help think about how do we enable some of these mom and pop shops, some of these smaller players, if you will, that might not necessarily have the resources to have robust security programs. I think we’re going to have to put our heads together to think about how do we enable them because again, they provide a service back to the industry that’s needed but they can’t necessarily be up to snuff in terms of where we’re at and our needs from a security or vendor risk perspective.
Anthony: That’s interesting. I usually associate a lower level of cybersecurity functionality with a new (or start up) vendor. You think they’re new, they’re just starting up and they have great functionality but they forgot the cyber piece. But from what you’re saying, there could be small vendors that have been around for a long time that work with a large organization like Geisinger, they’re highly functional and the users love them but they never took care of that cyber piece. They never got up to snuff there, and they won’t or they can’t. Is that what you’re saying? You just can’t say to them hey, go get HITRUST certified?
Now, I’ve heard just as a side note – I’ve spoken to some CISOs who they’re big on that. And they said now there’s tiers, so it’s a little more manageable. Tell me a little bit more about that dynamic you describe. It’s very interesting.
Zack: Yes, I think you’re seeing a shift and it’s not going to happen overnight, but some of these vendors that have been niche players, they provided a critical functional. I don’t know that they’ve really felt the need to think about security. But now whether it’s regulatory purposes or what’s happening, the cyber threat landscape, I think these vendors are getting pushed by organizations such a Geisinger to do more.
Again, my view is we need to be part of the solution and help challenge some of these vendors to do more. That’s how we better the ecosystem as a whole, is to work together. I think you’re seeing some shift and I think things like HITRUST and the different tiering will help because we can take more bite size chunks, if you will, to bettering some of these smaller players. Obviously, it won’t happen overnight but I think that’s the next iteration in all this is how do we position – and I know there’s some discussions from a regulatory perspective – how do we position these vendors to be able to grow and mature, provide the business value or functionality that’s needed but also come to the table with a sound security posture.
Anthony: It’s so fascinating and I’ve heard – I can remember the conversation with another CISO who described the exact dynamic you’re talking about and said “I feel like a consultant some days.”
Zack: Yes, I think it comes back to – one of the things we talked about earlier is relationships and perspectives. One of the things that I think our team does a great job on as part of our vendor risk program, we can articulate our inherent risk of vendors and then our residual risk after working with the vendor, and helping a vendor mature. I think it starts with again, collaboration, but it’s also making sure that the vendor has some type of actionable framework. Because for the most part, as gaps or issues are identified, most vendors are receptive and most vendors understand why an organization like Geisinger is pushing for more. Most vendors get that.
I invest a fair amount of time having some of those discussions with vendors, making sure that again vendors understand our perspective and it’s more of being interconnected. It’s making sure vendors have our perspective and understand why we’re pushing for more, number 1. But then 2, it’s giving them something actionable that they go work from. I think we’ve gotten better as an industry giving that actionable, I’ll say checklist but it’s more than a checklist. I’s something that a vendor can take and internally operationalize and show the bite size chunks that are being bitten off to improve their posture as a whole.
Anthony: I would imagine it’s very helpful to them. It’s a free consultation, right? They’re getting free feedback, a gap analysis from where they need to be. Just for fun and without naming anyone, have you ever had a vendor who was not receptive to your requests for them to improve?
Zack: I chuckle a little bit. You definitely have that and what’s a little bit funny is you have those discussions and then, it’s unfortunate but those are the people you see in the news.
Zack: I think it comes back to everyone’s got a lot going on. A lot of the vendors we’re alluding to are not in the business of cybersecurity; they’re in the business of providing the service or selling widgets to enable the healthcare industry as a whole. But cybersecurity is needed to do that; otherwise, we’re going to have downstream issues. I think vendors are – they’re getting it, albeit maybe not necessarily at the pace that the broader healthcare industry needs all vendors to get on board.
Anthony: One more question, Zack, and then I’m going to let you go. I want to be sensitive to your busy, busy schedule. I appreciate you taking the time. You’ve been CISO for about 9, 10 months there, approximately?
Zack: Yes. Hard to believe, coming up on a year.
Anthony: Congratulations. Congratulations. Your best advice – obviously you’ve had good success in your career and I hope it continues – your best advice to someone below the CISO level, could be one or two rungs who is interested in attaining that position, what should they be doing in their jobs today in order to be considered for that type of role?
Zack: A couple of things come to mind, Anthony. I really like that question because it’s no surprise that there is a huge demand in the security field. I don’t know the most recent number but there continued to be plenty of job opportunities in the security field so I really love that question on how we think about growing the field as a whole.
My quick reaction is it’s relationships, right. It’s building relationships, getting to know your stakeholders. It’s collaborating and you can leave all of the technical expertise to the side. Step one is building the relationships and understanding your stakeholders and the perspective they bring to the table. To me, that’s step one.
From there, once you’ve got that foundation built, then I think you start to share the security perspective. Here’s what you’re being brought in to do and here’s some of the things you think about but, to me, it all starts with relationship building.
Anthony: That’s a great answer. Don’t start getting all technical in your interview for the CISO role, right?
Zack: Right. I think what’s interesting is if you look at the security world and security practitioners as a whole, one of the best skill sets that I think one can have is being technical but understanding your audience, and it’s an art. But being able to translate technical security risk speak to business impact or business speak, after you build your relationships, step 2 is – and maybe even in parallel I guess, I’d argue – is think about your translation approach. How do you translate tactical, technical to business speak. Because I think the role of a CISO continues to evolve. I know there’s different kinds of perspectives on this, but from what I’ve seen – I’ve been seeing – we’re moving away from the tactical/technical – and don’t get me wrong, we need those skill sets. We need more of them. But because security has to be a business enabler, we’ve got to be able to talk business speak.
Anthony: Really, Zack, I love it. Great stuff. I want to thank you so much for your time today. Really appreciate it.
Zack: Thank you, Anthony. Appreciate you having me out here.