On most days in cyber, it can seem like there are a million things to do. For Jim Kuiphof and his team, that was probably the case in 2022 when Spectrum Health and Beaumont Health merged to become 22-hospital strong Corewell Health. Of course, there was much foundational work to be done, but Kuiphof notes that sometimes there are even more important fires to put out before one can turn to big picture projects like org charts. It’s an important concept in cyber – a risk-based approach to deciding what must come next; where the team and its resources should be focused – and getting it right is absolutely key to success. In this interview with healthsystemCIO Founder & Editor-in-Chief Anthony Guerra, Kuiphof discusses the keys to prioritization in cyber, the Jim Collins-concept of getting the right people on the bus and into the right seats, and the salient attributes he’s looking for in team members.
LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE.
Podcast: Play in new window | Download (Duration: 36:01 — 24.7MB)
Subscribe: Apple Podcasts | Spotify | Android | Pandora | iHeartRadio | Podchaser | Podcast Index | Email | TuneIn | RSS
Bold Statements
I’ve used the analogy that you have rowers, you have sitters, and you have hole drillers in your boat.
I don’t need you to create the vision, I need you to be able to listen, learn and articulate a vision. Say back statements, understand how well they can synthesize complicated data and repeat it back in a simple way, engage an audience, and be able to communicate through multiple means – instant message, face to face, virtually, in front of a crowd, whatever it is – role dependent, obviously. So communications leadership is one important thing.
It’s actually not so much when you get the job done; it’s are you getting the job done? And are you communicating about when you’re probably going to be getting it done? That’s more important to me. That’s an aspect of individual accountability and discipline that really goes beyond a generational thing.
Anthony: Welcome to healthsystemCIO’s interview with Jim Kuiphof, Deputy CISO at Corewell Health. I’m Anthony Guerra, Founder and Editor-in-Chief. Jim, thanks for joining me.
Jim: Thanks for having me, Anthony.
Anthony: Great, Jim. Why don’t you start off by telling me about your organization and your role?
Jim: Sounds good. Corewell Health is the newly formed, about two years ago, health system as a result of a merger between Beaumont Health in the Detroit area and Spectrum Health in the Grand Rapids area. Those two systems came together to form what is now the largest health system and actually the largest employer in the state of Michigan.
My role is the Deputy Chief Information Security Officer and Head of our Cyber Fusion Center. I have two jobs, one is right-hand man to my boss, the CISO (Scott Dresen), so I got to do a lot of the executive, forward-looking strategy planning, chief of staff type of work, and then the day-to-day job is to head up the teams that track threats, build preventions, detections, respond to threats, minimize our attack surface, do some analytics for us and internal consulting work across the entire system.
Anthony: Tell me a little bit about this Cyber Fusion Center. What’s that all about?
Jim: It’s an evolution. This is one of the final steps in this evolution when I started 8 years ago. Actually, it’d be 9 years ago at the end of this month. We had a limited capability to do detection and response. Cyber resilience and response is the name of the team. Over the years, we’ve added additional services. We call services ‘standard work,’ standard process, standard ways of doing things. We’ve changed the security taxonomy, the security landscape, the security engagement across the system.
As a result of doing that, we realized there’s a lot of opportunity for collaboration within this space and that’s really where we started to think about how do we bring these different teams together under one director for a common vision, common set of objectives and KPIs in a really behind-the-scenes, practical way of interworking and intercommunicating, to bring defenders, attackers, the red team to test our defenses, the responders, all under one umbrella to act as one team, to provide that cyber defense for the entire organization.
Anthony: That’s not necessarily a post-merger initiative, in terms of bringing the two health systems together. That’s not what it means?
Jim: No. We took advantage of the integration to create the Cyber Fusion Center but it had been in the works prior to the coming together of the health system.
Anthony: Very good. That merger certainly is an interesting thing. You were with Spectrum for a while so was your CISO, Scott, right?
Jim: Yup.
Anthony: He hired you at Spectrum, right?
Jim: Correct.
Anthony: How did you bring the two cyber teams together?
Jim: That was incredible work. The pre-merger is really where that starts, just an understanding of what the two systems’ security programs look like, what they’re capable of, how they’re structured, what roles have staff, what roles have senior staff, right, just really creating that map or taxonomy. Then, it really helps if you can rationalize both parts of a merger or if there’s three, a third part, to an independent security program view, a strategy, if you will. We align to the NIST CSF for example.
You start talking about capabilities and then you can map those capabilities to risk – what risks we think this new system is going to have; rationalize those risks against the capabilities and then say, ‘okay, which side is best positioned, maybe has a little bit more maturity in one space, has a little bit better technology stack in another space? Which one has a more mature framework of operating practices and principles? Policies and procedures, for example?’ How do you bring the governance pieces together?
Then, out of that, you create essentially a road map, right? Where are we going, we’ve got that laid out, in alignment with our strategic risk reduction goals, our security framework, the security taxonomy, some of the procedures and policies, and then it’s, ‘okay, how do we best map and align stack technology and process to that new framework for the total system?’ And then it’s just a matter of executing projects, plug into the enterprise portfolio management office, start laying out the road map, get funding if funding is required, propose budgets for next budget cycle, et cetera.
The hard part, honestly, Anthony, is deciding what goes first, what is the key priority to bring these two programs together and what they need to absolutely go first. Do you want to lead off with the new policy or should we maybe bring an incident response capability in unification across the system? Really, wrestling with those very practical nitty-gritty, what piece moves first to integrate. We laid out a timeline. We laid out a plan of attack. We’re still working through that, believe it or not. We’re still finalizing some of the longer open-ended contracts that we had with vendors, 3-year, 5-year type contracts that either system had, that maybe resulted in a duplication for half.
Okay, so now we get to standardize, for example. The most recent example is around vulnerability management. We had two long-running platforms – deeply embedded, mature process wrapped around those two platforms – and so we had to say, ‘look, that’s not a priority for us right now. We can leave those two programs in place. They’re covering the requisite 50% of the organization. We’re going to do other stuff first.’
Now, after 2.5 years, we’re coming back around. ‘Okay, let’s rationalize the platform that underpins our vulnerability management program,’ and then once we’ve rationalized that platform, we’ll start to rationalize the standard work across the system.
Anthony: Right.
Jim: The beauty of that is we work hand in hand with the app teams, the cloud team, infrastructure teams, networking. We’ve given them a two-year head start to start to come together. Now, as a result of that, we really get to plug into more mature infrastructure relationships to manage vulnerability and we call it ‘attack surface management.’ It’s about managing attacks for the entire organization versus chasing people around while they’re trying to integrate, because that is really difficult. It was a strategic decision – and a very practical one from a contract perspective – to just wait.
Anthony: Right, right.
Jim: Other things like our incident response function, we brought together almost immediately to say, ‘we want to see the attacks happening as quickly as possible, bring logs together, bring our endpoint detection response together, bring our incident response teams together, all under one umbrella, within 6 months.’
Anthony: Yes, deciding the order, as you said, is all about prioritization around risk.
Jim: You got it.
Anthony: These things have to bubble up and be done first.
Jim: Yup.
Anthony: What I’m wondering about is the dynamic of making sure you don’t lose key people – like, for example, there’s the tools side of it, There’s looking at the tools, overlapping tools and which one are we going to go with long term, all that thing. But you have two groups of people that are coming together, there may be some who have talents that you absolutely want to hold on to. These are key individuals. There may be some overlap. When it gets down to that HR level of retaining key individuals, that seems like a whole different type of work.
Jim: It is. Absolutely, yup. That’s part of the power of a framework, aligning to a framework that’s defensible, that’s measurable, right, creating an organizational structure aligned to that or mappable to that and then mapping in the risk reductions through our standard work and standard process and catalogue – that gives a defensible position to say whether a position is needed or not.
In our case, we are incredibly fortunate, there were no synergy targets placed on information security. I had the luxury of being able to demonstrate a mature program, demonstrate mature people and process and demonstrate really, from both sides, the capability of protecting an org, the size of what is now Corewell Health, and basically making the justification that we need all of the heads we have. The senior executives signed off on that plan.
Now, through that process, there are some people that aren’t interested necessarily in making that journey with us, which was fine. That’s their choice. Maybe there are some philosophical alignment differences, right, new leaders. Scott and I came from Spectrum, you already noted that. Some people maybe will make the choice not to work for Scott and I, but we want to make it clear, right, here’s our expectations. I don’t want it to be any mystery what work I expect from my managers, my architects, from analysts, engineers. We make it clear. We lay out the plan. We lay out the program. We can even start to paint a picture for what the next 3 to 5 years is going to look like.
Then if people choose to join us on that journey or depart, it’s mutual then, right. It’s ‘best of luck in your career, totally understand you want to take a different direction. You don’t want to be part of this three years of admittedly very hard work to bring these two systems together. You don’t want to be part of a large system.’ Whatever it is, it’s totally understandable, and we’ve been able to shake hands and part ways amicably with a number of people. It’s unfortunate, right, we don’t want to lose anybody. But, at the end of the day, it’s then an easier choice as to whether you back fill or you eliminate that role.
Anthony: Right. Great point about setting expectations – then they can stay or go. What you don’t want is that “quiet quitting” I’ve read about.
Jim: I’ve used the term you have rowers, you have sitters, and you have hole drillers in your boat. You got a group of people, they’re the ones that are going to be whiteknuckling it on the oars. Jim says get to the other shore, we’re going to row as hard and as fast as we can within reason. Now, we’re not going to run people over that are swimming. We’re going to do this intelligently. But some people are like ‘eh, I’m not so sure of this, but yet, I’ll give you the benefit of the doubt.’ And then you have people that are like ‘absolutely not, I’m going to drill a hole in your boat and hope to sink it, even though I’m sitting in it.’ Different issue, right?
And so it’s making the choice for people very clear, and to be people focused and people first. I’ve been a part of organizations that have had to make these hard decisions as an employee, not as a leader. And it’s hard. It’s very difficult as an individual contributor to be sitting there going ‘do I trust my leader, do I trust him with my career, with my job, with my livelihood, if I’m providing for a family.’ You’ve got to make those hard decisions.
My approach – and you can talk to any of the people that work for me – my approach is to know them. Know my people. Are they married, do they have kids, do they want kids, are they single, are they just out of college, is this their first job, have they’ve been doing this for an entire career… so that I can tailor the message uniquely to them and be as engaging at a personal level as possible. At times, it’s, ‘I don’t know what the future holds but when I do, I will explain it to you.’ Other times it’s, ‘here’s what I know of the future, here’s the road map, subject to change but at this point, this is what I believe is going to happen.’ And then other times it’s like, ‘I do know the road map and I can’t tell you. You have to trust me. I can’t give you specifics quite yet. As soon as I can, I will let you know.’
You explain it, you talk a lot, send emails, instant messages, face to face meetings, group meetings, one on ones, you explain it again and again and again. You get really good at telling stories. It’s to build trust and engender trust and, in doing that, I get the benefit of learning who my people are so that I can craft and tailor the message to be even more targeted to what they need to hear.
Anthony: You want to engage and be personal, but you don’t want to overdo it. Some people like to keep their personal lives very personal. How do you strike that balance?
Jim: What you’re hinting at, Anthony, is the listening versus speaking. How much do I listen – which is ultimately building trust as this person shares with me what their deep-rooted fears are, such as, ‘hey, I’m worried for my job.’ And then empathizing but yet – how do I phrase this – empathizing in a productive way. As a leader, I’m going to shape your fears not maybe to alleviate them, but to give you more knowledge so that you can control your fear yourself.
If I was your friend, Anthony, I would be coming alongside of you and trying to support you in your fears. As your boss, I want to know what they are so that I can better represent the future state direction to you. It’s subtle, it’s a little bit different but, at the end of the day, the litmus test for a leader is can I make the hard decisions about this person or not? Can I give them an honest performance feedback or not? Can I give them critical feedback about career development? ‘Hey, you want to get to the next level in your career, here are the things I see that you need to improve on.’ Versus, ‘don’t worry about it, Anthony, you know me, I know you, I’ll just put you on my coattails and we’ll go to the top together. Now, you’ve crossed over that line into the inappropriate.’
Anthony: Right. That’s no good for anybody.
Jim: No. It’s unfair. Fundamentally, it’s unfair to them because you’re robbing them of growth and development opportunities.
Anthony: Yes, 100%, agreed. What would you want someone who is going to work for you to know about your expectations?
Jim: That’s a great question. That changes with role a little bit. Am my interviewing for an individual contributor like an architect – I have architects that report directly to me. That’s an individual contributor role, they’re thought leaders. Or am I interviewing a manager who has people reporting directly to them, in which case that’s a people leadership role. I will differentiate between those two but, at the end of the day, there’s some core competencies that I want to draw out.
Communication – how well can somebody articulate a vision. I don’t need you to create the vision, I need you to be able to listen, learn and articulate a vision. Say back statements, understand how well they can synthesize complicated data and repeat it back in a simple way, engage an audience, and be able to communicate through multiple means, instant message, face to face, virtually, in front of a crowd, whatever it is, role dependent, obviously. So communications leadership is one.
How well they execute and deliver. At the end of the day, one of the challenges that we face in information security is a need to get stuff done. We have to be able to deliver, even in light of not having the authority to directly dictate what other people do. So there’s an influential leadership element, even my managers and architects, analysts, engineers, are going to be rubbing elbows with infrastructure engineers, for example. You may need to have them get stuff done, how well can you interface with them, to influence them, to change their course and direction, to be able to get the work done that we need to get done – without a lot of noise, without a lot of drama involved, such as, ‘well, my boss is the CISO so I can go make your boss do this.’ No, we want to be collaborative. We want to listen, understand their requirements, their needs, their demands, so that we can figure out a solution together. That’s the other part of this – that collaborative nature of leadership.
The other thing is can they help me be a visionary. As a leader, I want to be up and out. I want to be thinking 24, 36, 60 months out with plans and directions. Well, I need tactical leaders, operational leaders like my managers thinking about those things with me. So how well do they partner and how well can they manage up to help me know what’s in the details and why you’re saying this is a good solution to the problem we’re facing so that then I can take that, be a champion for it, get the resources and clear roadblocks.
Anthony: Very good. This may be silly but this is what I’m thinking right now. I’m just thinking about this younger generation having a different relationship to work than my generation. I don’t know how old you are, Jim, but you see my hair is mostly gone. You’ve got a little gray there.
Jim: I’m gray. (laughing)
Anthony: Do you need to be clear about your expectations regarding their commitment to work, their availability, when you expect them to be working, when you expect them to respond?
Jim: Yes, absolutely. I think level setting on job expectations, including when I expect you to be working, is key. It’s funny you mentioned that. It’s actually not so much when you get the job done; it’s are you getting the job done. And are you communicating about when you’re probably going to be getting it done? That’s more important to me. That’s an aspect of individual accountability and discipline that goes really beyond a generational thing.
If you chose to shift your schedule, let’s say 8 to 5 – Core hours are 9 to 4, we expect people to be in their seats 9 to 4, doing their job. But if you want to shift that and maybe you want to do a 6 to 3:30 and take a half an hour instead of an hour lunch, we can probably accommodate that. But we can’t accommodate that if you do that and don’t tell anybody. Because now 3:45 rolls around and I’m like, ‘I need that report,’ and I’m pinging you and you’re gone and I had no idea you were leaving, I’m like, ‘okay we have a problem.’ But if you communicate that and you’re proactive about, ‘hey, here’s what the plan is for this week, this month, for this quarter, I just had a child, I’m going to have to flex my schedule, whatever.’ If you’re talking to me about it, we can probably make accommodations for you. It’s proactive communication.
Anthony: Proactive communication. Is it a little different in cyber though, in terms of emergencies? For example, this is our level set for when everything is normal, but if there is an emergency, you don’t get to your kid’s volleyball game today, I’m sorry.
Jim: Yes. Yes.
Anthony: Give me your thoughts around laying that out.
Jim: That’s the hardest part, honestly. I’m incredibly fortunate. I call them a team of thoroughbreds and they’re not offended by that. But they want to work. I’m actually having to pull them back and say, ‘please don’t send me emails at 8:30 at night. I don’t need you working that late when it’s not an incident.’
The other part of it is to put up on-call schedules. We have a managed security service provider that does our 24/7/365, and then we have people who are on call to take escalations from them. They’re not eyes on glass 24/7/365, they just need to be available, and we then spread that load across multiple individuals, and we’ll even bring in multiple people to be on call.
As an entire system, we follow the NIMS model for response – who is on call, the most senior person who shows up for the incident is in charge until they’re relieved by somebody more senior. There are some core capabilities here, and that allows us really to spread the entire system-wide response to all in a crisis, not just information security or cyber – across the wide swath of people who are trained, who understand their time-bound responsibilities from being on call, and then also it’s a situation where you can call in, you get a brief, and if you’re not needed, you can leave.
We whittle it down to the core group of people who are absolutely needed as quickly as possible to allow everybody else to be dismissed, knowing this thing is still going on. You might still get called, but you’re not actively engaged in the call. We try to minimize the amount of blast radius, if you will, from a human capital perspective. That works really well, but it takes time to get everybody on that page. There’s a lot of people who want to be involved in incidents because they are great learning opportunities, when you’re working a cyber incident. But the reality is you don’t know if the cyber incident is going to turn into something that goes from 4 hours to 4 weeks.
Now, we need to do shift work, right, and start telling people to go home and sleep for 12 hours, ‘because I’m going to need you on for 12 hours in 12 hours.’ We have to program that in and level set that expectation and then practice it. That’s the other thing that we’d like to do is drills, real world, take advantage of every opportunity that’s false positive or true positive to practice. But then we also run tabletop exercises, drill this idea of when you’re on call what the responsibilities are, et cetera.
Anthony: Well, that’s part of being in cyber. I mean, it’s part of being in medicine.
Jim: Yes, correct.
Anthony: That emergency, responding to emergencies. It’s certainly part of being in cyber. If you’re not looking for that, then you probably don’t want to be in cyber, maybe you need in some other area of IT.
Jim: Correct.
Anthony: Right?
Jim: Yup, you got it.
Anthony: You mentioned the idea of having a team of thoroughbreds. You get the right people in the right positions and the right policies in place, then you can watch it work magic. I would think those are some of the first, foundational things you’ll want to do. If you start on other things without those building blocks in place, that seems like it would be a mistake.
Jim: Not to mix analogies, but you’re going to put the cart before the horse if you do that. It may need to happen though, Anthony. There may be some opportunities that are so incredibly obvious in today’s threat landscape and what we know of cyber threats that you’re like, for example, ‘I don’t need the taxonomy. I don’t need the framework. We have to get MFA on all of our remote access portals that are touching the internet tomorrow! I don’t need a risk review. I don’t need anything else. I need to make that as a command and do what we have to do to get that done. That has to happen.’ That is, there are those table stakes controls. Once you’ve got those, now you can start with the other things you mentioned.
Anthony: Right. You didn’t just mention MFA by accident, I mean Change Healthcare.
Jim: No.
Anthony: Right.
Jim: Six days ago, we found out what happened.
Anthony: When you hear about how and why that happened, are you shocked or are you like, ‘Yup, I get it.’
Jim: I get it, 100%. MFA is one of those where – it was even drawn out a little bit in the testimony. It’s a discipline function. You need to make everyone in your organization aware of some of these absolutely critical foundational controls, like MFA, so that they can be your sensors. ‘Hey, I just logged into this portal and I did not get prompted for MFA.’ Please tell me that. Please surface those types of issues. Somebody calls and says ‘I’m the CEO and I need to change my bank account and routing information for my direct deposit.’ Please raise your hand and say something. I’m not going to be able to detect that.
If you’re on the service desk and you keep taking a phone call from somebody with a foreign accent and you’re a domestic company, regionally based, please raise your hand and say this doesn’t feel right. It’s much better to say I have a concern and it proved to be wrong, than to say I have a concern and I’m not going to say anything because I don’t want to be embarrassed. I would much rather respond to the false positive because our entire workforce can be our sensors then. And that’s the only way we’re going to deal with some of these very complicated, very difficult to find types of issues.
Anthony: The only way you’re going to get that is to create that culture of ‘see something, say something’ and even if you screw up, tell us you screwed up, you’re not going to be punished, right?
Jim: It starts with generalized awareness. You’ve got your awareness program annually and we go through ‘see something, say something,’ here are the things to look for. How are you refreshing that – number 1 and then number 2 – on the back end when somebody does report something, how are you celebrating that? How are you getting your CISO to send them a note with a Starbucks gift card? Thank you for saying something. Thank you for bringing that our attention. Then, celebrating that as a team, as a department, and then even as an org, if it’s big enough, to say this person is the reason why we didn’t get hit more fully.
Anthony: It’s crazy. But regarding your MFA example, it’s much easier to notice the presence of something unusual than the absence of something.
Jim: Right.
Anthony: But it could have changed everything if somebody did (at Change). Jim, I’m going to give you a quick opportunity for a final thought, best piece of advice for someone in your position at a comparable sized health system. What’s your best piece of advice for that person?
Jim: Unplug. Find ways to unplug, have a hobby, connect with family or friends. You’ve got to be able to get away. I had the opportunity – my wife and I adopted a daughter from India just this spring. From February to April, I was able to completely unplug for two months. You’ve got to do it. Take advantage of your PTO, unplug, leave work at work, cross train somebody to be able to do your job for you so you have confidence in the fact that your job is still going to be done well, and you’re not going to come back to a mess, to lower that stress level while you’re away. But then take advantage of your vacation, take a two-week vacation, get away, unplug.
Anthony: Awesome, Jim. That’s great. It went fast. Thank you so much for your time today.
Jim: Thank you, Anthony. Appreciate it. I had a fun time.
Share Your Thoughts
You must be logged in to post a comment.