Randall “Fritz” Frietzsche has been on a mission to protect and serve for a long time. Way back when, it was in traditional law enforcement as a deputy sheriff. Later, as he embraced his technical acumen, it was in cybersecurity. But Frietzsche, Enterprise CISO for Denver Health, attests that all the technical chops in the world won’t make you a good cyber executive without learning how to communicate and build relationships, no matter how far that might force introverts out of their comfort zones. Once built, those relationships will serve the cyber leader well, as business heads seek them out for security’s stamp of approval, rather than doing everything possible to keep them out of the mix. In this interview with healthsystemCIO Founder and Editor-in-Chief Anthony Guerra, Frietzsche covers these issues and many others.
LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE.
… we’re great operators, we have tools, we block and tackle very well, but when 9/11 happened, that was an intelligence failure. We should have known about it. We should have had the ability to do something about it and to prevent it. I think we need to make sure that we are not only great operators but we are great intelligence analysts.
… for me, the number one biggest challenge in cybersecurity risk management is a cultural one. And that is: how do I inject myself into the purchasing process so that I know about these things, and we have the ability to look at them, risk assess them, identify anything that needs to be mitigated before we actually sign on the dotted line. Because once we sign on the dotted line, we lose all of our leverage.
In the beginning, they didn’t know who Fritz was, right? Now everybody is like, ‘Oops, did you ask Fritz if we could buy this, well you better ask Fritz now.’ Everybody knows we now have that process in place, a very clear process that’s been communicated and they’ve been educated on, and so they go through that process.
Anthony: Welcome to healthsystemCIO’s interview with Fritz Frietzsche, Enterprise CISO at Denver Health. I’m Anthony Guerra, founder, and editor-in-chief. Fritz, thanks for joining me.
Fritz: Anthony, thank you for having me.
Anthony: Very good, looking forward to a fun discussion. Fritz, let’s start out. You want to tell me a little bit about your organization and your role?
Fritz: I’m the CISO over Denver Health. Denver Health is a hospital system in Denver, Colorado. We also have a lot of other healthcare-related functions. We have a health plan. We have the health clinics inside of the Denver City County jails. We have health clinics inside the Denver public schools, all the ambulances in Denver including the airport, our Denver health ambulances and paramedics. We have our own public health department so lots of complexities, lots of really cool things we do for the community, and so I make sure we run our business securely from a technology standpoint.
Anthony: Perfect. I’d like to start this open ended and find out just what’s on your mind, what are you thinking about these days, what are the trends you’re looking at, anything like that.
Fritz: In my sector in healthcare, ransomware has been and will continue to be the biggest threat that we see out there. I always talk about the CIA triad – confidentiality, integrity and availability. Availability is the bottom of the triangle because it is the foundation. If it’s not available, that will cost your organization a lot of money. But in healthcare, it can cost lives or make people worse. If the hospital is down due to ransomware, not only are we losing a lot of money but, more importantly, we are not being in the community as our mission is to serve those who will need us when they’re in an ambulance on the way for a heart attack or needing a surgery, if we’re down due to technology, that is a very bad thing for the community that we serve.
The threat is really the same and ransomware is really evolving. It used to be that they would send you something – malware, you get it, it infects everything, it encrypts everything and then they ask for a ransom to give you a key. Then it became we’re going to come in advance, exfiltrate your data, then do the ransom thing and also ask for an additional ransom or more ransom so they won’t release your data to the public.
Now, it’s really become almost like the Sopranos, organized crime, where they’ll do all of those things to you and then they keep coming back every month and ask for their monthly payment, and it’s just an extortion scheme. Once you pay, they know they could just keep showing up over and over again and they’ll just continue to hold your data and threaten to release it unless you pay them an ongoing payment. The attackers are always more and more sophisticated and we have to continue to be very well-trained, make sure we have the right controls in place and make sure we have the right operators who can quickly spin up, quickly respond, detect and recover.
The other thing I really have seen over my years of experience is that there we’re great operators, we have tools, we block and tackle very well, but when 9/11 happened, that was an intelligence failure. We should have known about it. We should have had the ability to do something about it and to prevent it. I think we need to make sure that we are not only great operators but we are great intelligence analysts.
We really need to get a grip on the amount of intelligence and the quality of intelligence we have available to us and utilize that in a way to help prevent attacks. I think that’s something we haven’t really thought of much. I really don’t hear a lot about that, but that is really something we can take to mature our industry as a whole and leveraging the cloud security vendors is another good way of doing that. They get intelligence because they have such a large global install base, and they’re getting the threats and they’re seeing the threats, and then they have the ability to update their databases and that will instantly apply to all of their customers. That’s one way you can leverage intelligence they’re seeing to apply immediately downstream to your controls.
I see so much intelligence out there but how much of that is actually getting input into our controls and how much of that intelligence is being used to help us think more strategically about how do we build our posture, how do we mature and become more resilient and hopefully prevent attacks in the future.
Anthony: We call that I believe, MTTR (median time to remediate) that type of thing – how quickly is the duration, how short is the duration between when we find out about something and when we can plug the hole that we just find out about.
My question to you about threat intelligence is can it feel like drinking from a fire hose, can it be overwhelming the amount of intelligence that you have coming at you if you subscribe to a number of feeds and things like that. That’s something I’ve been discussing with people about chasing false positives, how it can really be detrimental to a team’s effectiveness, for obvious reasons. Your thoughts there, we want threat intelligence to move towards prevention, how do we do that well?
Fritz: Really it is the quality of the intelligence, right? I mean if you just send me a list of 1,000 IP addresses, from a question of usability, that’s really pretty low because those things can change. Even domain names, those can be changed really rapidly. It really is having an organization that can do the analysis on the information and then present you with intelligent intelligence, right, presented to you in a way that really encapsulates what this thing is and not just all the IP addresses you’ve seen in the last day. That, to me, is really important. I get information from the FBI, Secret Service, CISA, we have our ISACs that we get information from. Really those are tuned to receive quality intelligence and not just a bunch of IP addresses.
Having that information we can really decipher the threats and then do our own analysis specific to our organization and our sector and make sure we understand to prioritize that list of threat intelligence and make sure that we’re actually covered on these things.
Anthony: One CISO I spoke with said he felt one of the most important elements of his job right now is that MTTR, having the structure in place, the intelligence feeds and the internal structure to get that to a minimum. Do you agree with that?
Fritz: So I’ve been saying for years, and this is an old statistic, but the FBI used to say it takes 19 minutes for an advanced persistent threat to get so embedded into your network that you’ll never find them, 19 minutes. In an organization, let’s say you have someone on call and they get a page at 2:00 in the morning, how long is it going to be before they wake up, get out of bed, get to their computer, log in, connect, open up the alerts, start looking at them and trying to figure out the context.
Now, you’re talking 20, 30 minutes before we even understand what the context is and by that time, you’re just done. Having those automations built in, having an organization that has some telemetry engine that can take input from your controls and your alerts and can filter those out and have that analysis done and then even have the ability to quickly act on your behalf. That really reduces that MTTR to a low point, to a very quick action. I think that is really critical to make sure that you have that.
For me, we have that and we’re working towards instead of being security operators to be cyber threat intelligence analysts. We want to free up some of that blocking and tackling to make sure that we have the ability to go out and actually do the analysis of the intelligence and then apply that strategically to the organization.
Anthony: Does what you are saying about folks having to get out of bed mean managed services would be attractive? Especially if you are working with a company that has locations around the globe?
Fritz: Well, I would say it’s hard to find good people in cybersecurity. I mean there are many great people in cybersecurity but it’s hard to find them. It’s also a challenge to spin up an internal FTE-supplied security operations center. If you can find a good security operations MSSP, that is an asset I think strategically and we have chosen to do so, we’ve outsourced that to somebody – that’s their bread and butter. They have 24/7 high level analysts and then we have people on staff who are doing that work during the day, but we chose to go with the outsourcing arrangement, and I think that we’re more cost effective that way, and then we could focus our internal resources in a different way.
Anthony: You mentioned internally, you do want your people being analysts. You mentioned external analysts, a lot of time we have to figure out what it is we’re going to do internally and what we’re going to outsource, right?
Fritz: It really depends on everything. It depends on the organization specifically. Sometimes you want to have that in-house SOC. You want to have those people who are really focused and trained highly. The issue is you have to train those people really well if you’re going to do that and it’s expensive to train cybersecurity operators. The other side of the coin then is for those few FTEs that you have and you have outsourced the rest of that, then you want to make sure that those people are doing the right jobs.
One possibility is having them doing some auditing, doing some analysis of the infrastructure, how often do your people have to change their passwords, how often do administrators have to change their passwords. Get an automated audit plan going so that you can have that stuff happening every month and, instead of being 100% security operators, they are also auditors and they can do a lot of that work that is really hygiene, and hygiene is your biggest risk. The lack of proper hygiene is the way that you’re going to get hacked. So having those folks doing that work, they’re very familiar with your internal organization and your infrastructure and they can do that automation and get that stuff not only fixed but keep it up to date, keep it clean.
Anthony: Let’s talk about phishing emails. That’s the biggest vector, right? It’s the bad link, it’s the bad attachment that’s coming in through an email. It’s maybe some social engineering where someone’s positioning to be someone from accounts payable or accounts receivable or an outside vendor, they get creative in things like that. That’s in my mind, that’s like one bucket of threat. We also know that there’s a lot of concern around the device-based vector which is like a medical device, or a printer or a camera or something like that. Do you see those as different buckets?
Fritz: Certainly biomedical and IoT is different than phishing. If you go to industrial manufacturing, they have controls there that are really old, very expensive and you can’t update them sometimes and you can’t patch them sometimes and you have to allow remote support from who knows where, and so all of those things are really outside of your normal standard in the way we think of cybersecurity, Windows devices and firewalls and things like that. The biomedical device, the MRI machines, how do you secure that thing? That thing costs multiple millions and millions of dollars and you’re not going to replace it every year or two with the most recent updates. You got to connect it to your network.
We’re looking at virtual nursing where they actually put IoT cameras inside of the room to monitor for, mainly, patient falls. They want to see if a patient at a high risk of fall starts to get out of bed, the intelligence inside of these cameras can actually show the movement of that patient and then send an alert to say this patient is trying to get out of bed, and that way you can respond and go in there and help them, and hopefully, prevent a fall, and lots of other uses for that.
But just think about it from a security perspective; my hair is on fire about it because I’m like, ‘How does this thing connect, what data does it have, are you identifying a patient, where are you sending the data, is it in the cloud, is it secure in the cloud?’ That’s the fun part and the challenging part about cybersecurity is that there’s so many things going on and they’re really cool in healthcare, but you have to be able to dig in there and make sure all the pieces and parts and connectivity are done in a secure way. Those are really fun for me. I like dealing with those types of things.
Anthony: And we have to get the governance worked out where they come to you at the beginning and not after they signed the contract, right?
Fritz: 100%. I teach cyber risk management for Harvard University and I have five classes a year and, in that class, we really learn the fundamentals of cyber risk management. But what they don’t teach you is really the operational implementation and management of risk in an organization, dealing with all the different things you have to do, the politics and the processes. And so for me, the number one biggest challenge in cybersecurity risk management is a cultural one. And that is how do I inject myself into the purchasing process so that I know about these things and we have the ability to look at them, risk assess them, identify anything that needs to be mitigated before we actually sign on the dotted line. Because once we sign on the dotted line, we lose all of our leverage. So getting yourself injected into that purchasing, all the different ways the organization buys things, we have to be there so that they know about security, and it’s really a cultural thing.
And that does start with governance. It starts with, from the top, this is what we’re going to do, every time you buy anything, you have to follow this process or you don’t get to buy it. As long as you have that buy-in, then I can go and say, ‘Mr. Purchasing Manager, IT Manager, you have to go through this process every time for any time we’re going to buy technology or share data.’ And that has been a challenge in every organization I’ve worked for, and that’s something that I try to teach my students as an operational aspect of risk management.
Anthony: Do you feel like you’re in a good place at your organization now in terms of people getting security involved early in the buying process? Did it take a little time to get there?
Fritz: Absolutely, it took a lot of time to get there. In the beginning, they didn’t know who Fritz was, right? Now everybody is like, ‘Oops, did you ask Fritz if we could buy this, well you better ask Fritz now.’ Everybody knows we now have that process in place, a very clear process that’s been communicated and they’ve been educated on, and so they go through that process. We do what’s called risk stratification and that’s just them telling us a few highlights about what they’re doing, what data is it. Is it sensitive data? How much data? Where is the data going to be? Is it going to be in the cloud? Then, from that, my team could go out and pull that, send out our questionnaires and things like that in order to fully risk assess the solution and then we put it in our GRC, and see if there are any mitigations needed.
The other thing that I make sure I always do is have what I call CLPS – compliance, legal, privacy and security. Sometimes the business has to do it. They really want to do it. Let’s say we’ve identified this one big risk that is a showstopper but they want to do it anyway. I say, ‘okay, in our policy, it says you’ve got to call a meeting of CLPS, compliance, legal, privacy and security.’ That’s generally the executives, the privacy officer, the CISO, the chief compliance officer, and the general counsel. We all meet with the executive of the team that wants to buy that and that executive needs to, in light of my translation of the actual risk, justify why they have to do it anyway.
Then, the compliance organization and the leadership of that team or department can get together and make a decision going forward as to whether or not we really want to do it. Most of the time that ends up being a no. If the CISO and the CIO were telling you no, the general counsel generally isn’t going to overrule it. That’s been an effective operational thing that we’ve done in risk management.
Anthony: Very interesting. What would your advice be to either a new CISO or a CISO in an organization where things are not coming to them when they should and they are being told, ‘this is the way we’ve always done it, why do I need to come to you now?’ What would your advice be on how they can get things changed over there?
Fritz: Well, that’s a pretty big answer. Clearly, building relationships with the right people in the right areas is really critical. One of the things you have to do when you’re building relationships is be able to demonstrate your competence and your trust, and then you’ll have that great relationship. Once you have that, then if Fritz says we have to do it, we probably need to do it, and that’s because I’ve spent years building relationships and demonstrating my competence and building trust to a point where they say, ‘Yes, we better listen to Fritz.’ That would be my biggest piece of advice.
Anthony: Underlying these relationships and underlying your skill is I’m guessing the message to your customers or these internal people that, ‘I want to help you, right, I don’t want to say no, I understand you want this thing, I want to help you get it but here’s a problem or here’s why we have to do it this way or that way or it’s going to take more time,’ but it’s got to be communicated that I want to help.
Fritz: No, that’s 100% true. Certainly that’s a given that the CISO’s job is to support the business. So I want to help run the business, grow the business in a secure way, and so they know that I’m there as a partner with the business, but I’m going to always have their back. I’m always going to be watching out for the best interest and the security certainly of our patients, our families and their visitors and our employees. Yes, it takes a while to establish that.
Certainly, if you say no to everything, you’re going to get a bad reputation and you probably won’t have your job very long and you’re not going to enjoy it while you have it. Really, it is being a partner to the business. And when you present to the business, always be selling. That’s what I say, always be selling. You have to be selling yourself, you have to be selling your program, why you’re there, what the value you bring to the business is and, once they get that – a lot of it has to do with branding, right. The professional branding of yourself and your team. We have a blurb at the end of every email, every single team member – excellence is our standard. We have that as a motto for our team, and that’s the message that we send to the organization. It’s like branding. The organization knows that we hold ourselves to the highest level of excellence and that we’re here to help the business be successful and protect our protectees, and really it drives me a little bit into the whole sheep dog concept.
The sheep dog is protecting the sheep from the wolves. If you’re in military, if you’re in law enforcement and even if you’re in cyber, your job is to stand on that wall and watch out for wolves and to protect the sheep from the wolves. I saw a picture of an actual sheep dog that had fought the wolf and was all bloodied but the sheep were safe. That protecting and serving is what we do whether we’re in military, law enforcement or cyber, we protect and we serve. The key concept about the sheep dog is that we’re not related to the sheep, we’re actually related to the wolf. We’re a dog and we’re related to the wolf. And so we understand the wolf. We understand their motivations, we understand their tactics and their methods and we are in the best position to protect the sheep.
Anthony: Very good. Availability, you mentioned it at the beginning of our discussion. It seems to me it would be important from an educational point of view and letting them understand why cybersecurity is important to tie it to availability, right? These systems you use, your tools that you use to practice medicine, if we don’t have a good cyber hygiene, if we don’t follow some of the things I’m saying, if we don’t embrace cybersecurity, you won’t have them. Try and take care of your patients without them. You don’t want to do it. We want to tie that in, right?
Fritz: We did an exercise. We got all the executives in the room and we did a tabletop exercise. The exercise scenario was we are down due to ransomware for 30 days, how do you run your business, how do you serve your patients, how do you treat your patients. Nobody had thought about that before, how dependent we are on technology. Well, we can fall back to downtime procedures. That’s the common theme, right? Go to paper charting and do all that. Well, we didn’t have enough inventory of paper charts to last a few days.
That exercise we did right before the pandemic and we have since done a lot of stuff like ordering forms, downtime forms repositories. Things that you would never have thought of but, considering how dependent you are on technology, how can you continue to serve your patients without technology, without connectivity to the internet, without email, certain systems that may go down, how do you do that? It’s really been a great thought process for the leadership of the healthcare side of our business to think through that.
Anthony: I could keep going on that for another hour but I only have you for a few more minutes. I know you’ve done a lot of work. I know you were in law enforcement which is great. I know you’ve done a lot of stuff with the FBI, the ISSA and you recently were inducted into their Hall of Fame. Touch on any of those things in our last few minutes whatever you want to highlight.
Fritz: Really as I talk about building relationships, networking – those are really important activities to be successful in cybersecurity. If I hadn’t done any networking in my career, I would never be where I’m at today. It really is about the activities that you’re involved with, the organizations and the people that you’re involved with and really having those relationships.
And one of the ways to do that which I found out very quickly was the ISSA – Information Systems Security Association. It’s a global organization. It’s been around since the ’70s and they have chapter meetings locally and you go to those meetings and you network with people and you learn. You have a speaker and you get to listen to a speaker, you have lunch, whatever, and you have fun. To know those people over time to the point where maybe you’re going out to lunch with them once in a while, and really building the relationships, you learn from each other, you learn from that and it’s really a cool way to give back. The older you get in your career the more important it is to give back. It’s very important to me. So that’s one way I do that.
But then also through those networking relationships, I’ve gotten involved with the FBI, the FBI CISO Academy. There’s only been 13 classes now and I was in class number 13. They send you to Quantico, Virginia, at their national training academy and for a week, you spend time in classified briefings and you get really high level information about what the FBI does and some of their actual investigations and how they’ve taken down some of these dark net organizations and their infrastructures and give you advice to take back, especially how to interface with law enforcement and just making sure they’re available if you need them. That’s not 100% of the time though, they’re going to look at your case and they’re going to see if they actually want to send somebody, but certainly understanding when it’s appropriate to engage with law enforcement, especially federal law enforcement, is important. So that was really interesting. We got to do a lot of other cool things, like we got to go to their range and shoot their guns. We got to go see the hostage and rescue team which is really the people you call when what hits the fan, those are the people fast roping, and so just things like that, very cool.
I got nominated because one of my former students is an FBI cyber agent. He nominated me to go to that. Really it is giving back and having those relationships and that’s the way that I’ve continued to build my career; and teaching for me is really my retirement plan. I plan to continue to teach even when I’m not a CISO because I always want to be giving back and I always want to mentor and help the next generation because we’ve come a long way, but we have a lot farther to go.
Anthony: As I mentioned, you were previously in law enforcement. You want to tell us briefly about that, just tell a little bit about the – it’s a natural continuum from traditional law enforcement to what is essentially enforcing cyber laws and then, as you mentioned, we have that bridge between the cyber and the physical where you can have cyber crimes that are taking place, that eventually result in physical arrest of human beings, one flows right into the other.
Fritz: Absolutely. Yes, I was a deputy sheriff in Indianapolis, Indiana which is Marion County. I was a deputy sheriff for five years and I always had a technical aptitude. I always wanted to take things apart and figure out how they work and put them back together again.
Shortly after I left law enforcement, I went into IT. I started on the help desk and I worked my way up and I got certifications and degrees and everything else along the way until I got into cybersecurity. That really hit the spot for me. That’s me. I’m the guy that protects and serves. For me, cybersecurity was just as natural as law enforcement, and I think that’s the mindset. I’ve mentored folks who have come from law enforcement into cyber. I’ve mentored folks that have come from the military into cyber. We all have the same mindset. We’re there to protect and so we understand, we learn the tools and we learn the techniques and analyze the intelligence and apply those in a way that we can protect what we’ve been charged to protect.
Anthony: Final question. Any final piece of advice for your colleagues based on your experience and what you found that’s made you successful in your career?
Fritz: From a non-technical standpoint, certainly being able to communicate well, being able to build relationships. If you go out to these events and these chapter meetings and academies and things like that, if you’re in a room with somebody, if you’re in a room and you don’t know them, change it, go up, introduce yourself. ‘Hi, I’m Fritz. I’m X, Y, Z.’ Because that person is probably doing the same thing.
Most people in technology are introverts and it’s not natural for us to just walk out and make our self known and shake a hand. But definitely do that, make an effort to go out and shake hands, make an effort to improve your communication skills. It’s really, really important in building relationships, to be able to communicate well, verbally and via email and everything else. You have to be able to communicate well. That’s really an important thing, and find a mentor. Find somebody who has done it and is willing to share and help you.
All the people on my team, they know I’m there for them. I’m their champion and I will help them and I’m teaching them to be the next CISO, basically. Find a mentor, attach yourself to them and take it seriously. I never had a mentor for a long time and now that I’m able to be a mentor, to me, it’s one of the best parts of my job.
Anthony: That’s wonderful, Fritz. I guess you go by Fritz quite a bit it sounds like.
Fritz: I do.
Anthony: Well, Fritz, it was an absolute pleasure. I think our audience is really going to enjoy this so thank you.
Fritz: Yes, sir. Thank you, sir, for having me.