Unless they work for technology companies, CIOs aren’t technology executives, according to Maria Sexton, CIO at the University Medical Center of Southern Nevada. Rather, they are business executives with technology expertise. It’s a nuanced definition, she admits, but one whose understanding makes all the difference. And with that understanding comes a change in approach from passive (taking requests) to active, where a deep knowledge of the business empowers CIOs to offer not only technology solutions to business problems, but business solutions to business problems. In this interview with healthsystemCIO Editor-in-Chief Anthony Guerra, Sexton discusses this dynamic, her journey from the help desk to information security officer to CIO, and the keys to building out a well-rounded team.
LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE.
Podcast: Play in new window | Download (Duration: 34:22 — 23.6MB)
Subscribe: Apple Podcasts | Spotify | Android | Pandora | iHeartRadio | Podchaser | Podcast Index | Email | TuneIn | RSS
BOLD STATEMENTS
I’m very intentional, again, about making sure I’m still talking to our line-level employees and making sure technology is working for them. What I say here all the time at UMC is that on the other side of every phone call, every ticket, every issue, is a patient.
… in order to be successful in the role and to be successful to the organization that you’re leading, you have to be able to recognize: I’m good at these things, but I’m going to need some people in here that are really good at those other things. Then, together, we’re all successful.
… it’s not IT and the business; it’s only the business.
Anthony: Welcome to healthsystemCIO’s interview with Maria Sexton, CIO at the University Medical Center of Southern Nevada. I’m Anthony Guerra, Founder and Editor-in-Chief. Maria, thanks for joining me.
Maria: Thank you, Anthony. It’s great to be here.
Anthony: All right. Excited for a fun chat. Can you start off by telling me a little bit about your organization and your role.
Maria: Certainly. As you mentioned I’m the Chief Information Officer at University Medical Center of Southern Nevada or, as we lovingly and locally call it, UMC. UMC is a large healthcare system here in Southern Nevada. We are a 541-bed acute care hospital. We have clinics throughout the valley, primary care, urgent care, specialty clinics. We are the state’s only level 1 trauma, the state’s only level 2 peds trauma. We have a center for transplantation, burn care center, and we’re the oldest hospital healthcare system in the valley. We’ve been around for more than 90 years.
Anthony: Very good. You’ve got an interesting past, and we’ll touch on that, and I’ll tell you why. Now, this is going to be a security-focused interview. You have a lot of security experience where you were the information security officer and things like that. Very strong security background, but now the CIO, and I don’t know if you have a CISO so that’s something we can talk about. But just a little bit about your background.
I am seeing a lot more of this trend from an infrastructure-to-security-to-CIO role pipeline because of the importance of security, I think. It’s pretty clear. But just tell me a little bit about your journey and we’ll go from there.
Maria: Sure. Gosh, it seems like a thousand years ago but it was just about 30 years ago that I started in IT, as a lot of people do, on the help desk. I started in my career in 1996. Interestingly enough, the same time the internet came into being. It was a great time to be in technology at that time. I started in IT, again, in help desk. I started doing desktop support and things like that.
But before I had gotten my first job in IT, I was not in technology at all; I was working as a secretary but I was looking for something more lucrative in terms of a career path. And so, while I was working as a secretary, I went to school and over a year obtained both my certified netware engineer – remember back in the Novel days – certified netware engineer certification and my MCSE – my Microsoft Certified System Engineer certification. I had a lot of paper, but not a lot of experience.
Remember what they called it back then, paper CNEs, paper MCSEs and so I had the paper but not really the background, but at least I showed an aptitude for technology. I got my first job on the help desk and really cut my teeth there. I think from there just through my career, it was just lots of opportunities. I hate to call it luck, right, it’s when experience meets opportunity. I moved to Las Vegas and had an opportunity to join a contractor for the federal government here; there’s a lot of government presence in Nevada, and had the opportunity to move from help desk into more of a network and systems engineer role. But that’s where I got the introduction to security. Remember, again, this is early days. This is when security is still being done by network and security people and systems people. There was no security as an industry.
I happened to be at work one day, one of my system engineer peer says ‘you know what, I need a second for security. I’m on call all the time, we have to do all the work, who’s interested?’ I raised my hand. That was ’98, ’99 and I started doing firewall work, intrusion detection, anti-virus, again early days. But that was my first exposure to security. And then through my career, I’ve just kept one leg on one side and one leg in the other. I’ve had many roles as Director of IT or, like you said, infrastructure positions and then roles as Director of Global Security Operations or running information assurance type organizations.
Throughout my career, I really kept that, again, straddling both sides – the leg in IT and the leg in security – which has allowed me then to continue through my career ISO, Director of IT, sometimes as both, many times as both. Then, when the opportunity here at UMC came up for the CIO, I was in the perfect spot. I was able to take over. I have lots of years of experience, if not decades of experience in traditional IT, the operational side, but almost as many years in security too.
As you mentioned, for a long time, I was the ISO even here at UMC and had a team. But just last October, I was able to promote one of my leaders into the ISO role. Even though security still rolls up to me, operationally I have an ISO now that runs security. I have to tell you, Anthony, it was very intentional to stay in both sides. As you said, if you grow up with IT, you have that infrastructure background which really just strengthens you as a cybersecurity practitioner. You have to understand how the bits move, and you have to understand how things run and how they operate on a workstation or on a server in order to secure it; that’s my belief.
Anthony: Right, so that’s network and infrastructure. But would you say even a rung – I hate to say below, but even a rung below that is the help desk. Coming up through the help desk, is that the bottom rung on the ladder – and I mean that in a very positive way that if you have spent time, if you start out at the bottom, and you do get to the top, you have obviously a super rich and deep appreciation for almost every role. So the help desk, you’re going to have sympathy, you’re going to know what they’re going through and you’re not going to be like, ‘well, just do it, because I have no clue.’
Maria: Right. You are 100% right. I say this with absolute sincerity. When I worked on the help desk, that was my favorite job of all the jobs I’ve had in my almost 30-year career. I am very customer service oriented, and what I loved about my very first job is that half of the time I spent on the phones and half of the time I spent on the floor going to the customer. It was incredible.
The communication skills that you develop when you’re trying to help a customer over the phone – right click here, point there, look for that icon – versus when you’re at the desk side with that customer … when at the desk, they want to get back to work, they don’t have a lot of patience, they don’t necessarily want to learn about IT; they just want you to fix the problem. And so I really credit that first job in really helping me, like you said, to develop an empathy and an understanding for our ‘customer,’ and I say that intentionally.
You might be wondering; I don’t call the people that we support here users. In my mind, that’s a very derogatory term. They are our customers. We are their service provider. You really develop a great skill in terms of how you communicate, how you interact with customers over the phone or in person. Then, like you said, the help desk, they are the hub. They know everything that’s happening, new systems that are going live, problems our customers might be having, things that they might be getting a hint of that’s starting to escalate in the environment. It’s a very important role. Again, it was probably one of my favorites given the interaction with the customer.
I don’t have as much of that now as the CIO. I do, but it’s at a higher level, right. I’m very intentional, again, about making sure I’m still talking to our line-level employees and making sure technology is working for them.What I say here all the time at UMC is that on the other side of every phone call, every ticket, every issue, is a patient. We don’t directly support patients, we support those who support our patients. We are interacting with the nurse or a provider or a radtech or an EVS worker. It doesn’t matter. On the other end of that is a patient and their family and that’s who we’re here to serve.
Anthony: If you want to move up to the CIO level, I would imagine you’ll need to have conversations with others and really know how to communicate. You’ll need to take some roles, like the help desk, where you develop those skills.
Maria: I think that’s a great point, Anthony. You’re absolutely right. I think back in the day, and I remember even probably uttering these words myself to all people in IT that I might have been leading – director, manager, CIO, whatever – and saying if things like, ‘you’re going to have to interact with the customer and improve your communication skills and all of that.’ But I think now we really have gotten to the point where the industry is so large, both security and IT, and there are so many different opportunities to be a practitioner that doesn’t necessarily have to be the case.
But to your point, right, you have to be honest with yourself and say, ‘well, if I am the person who does like to interact with inanimate objects and I’m not comfortable speaking with people, then it’s okay.’ But your career, to your point, may be limited and that’s okay. If you ever look at those 9 box things where you assess an individual, okay, maybe you’re always going to be a very strong individual contributor and there is nothing wrong with coming to work every day doing a great job and going home.
I think, at a certain point, you’re right, I don’t know why we look at that in IT but we’ve really, here at UMC, in my division, we’ve been very intentional about identifying where people fit best. If you are someone who is comfortable interacting with customers or, like you said, maybe you’re not, but you do aspire to be a CIO or a CISO or CEO, whatever that might be. They’re going to help you through that. But you’re right, you must be able to communicate. You must be comfortable speaking publicly, even if the public is 50 people in a town hall. Those skills have to be there. I think it is part of what we use to call the soft skills, the professional development that’s something other than technology.
But there are some people that are very, very comfortable just behind the monitor and the keyboard doing a great job every single day and they don’t aspire to take on, let’s face it, the challenges of being in a leadership position. It’s not all corner office and martini lunches.
Anthony: No, but it should be. It should be. (laughing)
Maria: Especially in IT and security, it should be.
Anthony: No, but I think you make some excellent points that people have different strengths in different areas, and I think you hit the nail on the head when you said that if you do have C-suite aspirations, you have to learn how to get up from behind the computer.
Maria: You do.
Anthony: And if you don’t, but you’re awesome at this one super high level skill and you just bang it out, great.
Maria: Good for you! You’re killing it. You’re making money, you’re going home, you’re living your life. Yeah, you’re okay with that. But that’s the honest conversation, I think, sometimes leaders don’t have. You have to have that honest conversation. Do you have the potential? Do you have the desire? Do you want to do that? If not, that’s not a mark against you, but we’re going to turn our attention to this individual who does actually want to do that.
Anthony: Right. I have heard thinking in the past – which I never agreed with – of forcing people out of their comfort zone. That was a management theory, a leadership theory, where I don’t want to do that thing but you think, as my manager, part of your role is to make me expand my comfort zone. I don’t want to go. I understand the cost of me not going there. It may limit me in certain areas, but I don’t want to do it. I never agreed that forcing people to do things they don’t want to do was a good thing.
Maria: I’m the same with you, Anthony; I don’t agree either. Someone may want to get out of their comfort zone but, like you said, they made an actual intentional decision. They’ve said, ‘yes, I don’t like speaking in front of people but put me in front of this group, I’ll do a presentation.’ But yeah, why are we dragging people, kicking and screaming out of their environments they’ve chosen in order to, I don’t know, fulfill something. I’m 100% with you.
Anthony: Yeah, by definition right. So we’ve pulled you out of your comfort zone so I’ve made you uncomfortable.
Maria: Right.
Anthony: And now I think you’re going to be more effective now that you’re uncomfortable?
Maria: That’s a great point.
Anthony: You might go find somewhere else where you can be comfortable again and leave, right?
Maria: Yeah.
Anthony: That’s great. That’s a lot of fun. You mentioned you have an ISO which is a legal requirement, someone has to be designated as the ISO. Correct? That’s different than having a CISO, right?
Maria: Well I guess it is. I mean, it’s the same. In our organization, we haven’t really defined it as a chief level so it could be a CISO or an ISO. I don’t know. We do have to have somebody defined that is overseeing our security operations. In the world of HIPAA, you do have to have a HIPAA privacy and a HIPAA security officer. Our ISO is the HIPAA Security Officer. So yes, I do have that.
But for a long time, I had both of those roles, Director of IT and ISO and then CIO and ISO. But I knew I did need to relinquish the operational responsibilities to someone else.
Anthony: It’s interesting to me. I think you were interim, right – interim CIO for a little bit?
Maria: For a couple of months, yes.
Anthony: You came into the CIO role with, obviously, very strong security skills, so have you sort of built the skill sets around you that you needed? For example, you may not need a CISO, but you may want a CMIO; whereas an MD who becomes a CIO may not need a CMIO but will surely need a CISO. Does that make sense?
Maria: That does make sense. It’s interesting you ask that question. Again, very early on in my career I had been very purposeful about wanting to eventually get to a CIO position. Early in my career I had determined that I was not a gifted engineer. I was great operationally, but I was not going to be that great network engineer, systems engineer. I started developing my skills to get into leadership. Again, I was very thoughtful and purposeful about that. But I remember saying even to myself and to my husband, who is also in IT, ‘you know what, when I eventually get to that CIO role, that top role, whatever that is, I am going to build the organization that I want – the individual contributors, the leaders.’
When I came into the CIO role, again, because I have so much IT and security, these weren’t really two areas where I thought, ‘okay, I’m coming in with a bit of a gap.’ I hope it doesn’t sound like I’m full of myself, it’s just that I’ve had a lot of experience and I’ve done a lot of things. One area that I really did need to be very intentional about in ensuring that we did have a strong leader is in our electronic health records side of the house.
We are an Epic shop. We’ve been Epic since 2017, very proud. We’re just so blessed to have that wonderful EHR. But that was an area I don’t have a lot of experience in. That was an area where, although I’ve done tremendous amounts in IT and security, I needed to make sure that I brought in a leader and he created or developed the leadership team to make sure that he could help me and we could fully understand the capability of Epic, how it was serving our customers, what we could do with it. I put a lot of thought in that.
The other position that I brought in is a director is our Director of Data Management and Analytics. This individual came from Finance. I brought him over into IT, promoted him into a director position and he has everything data. He’s doing programming, business intelligence, analytics, reporting, database administration, interface management. That was an area, again, where I had some experience but not business intelligence, not analytics, not big data, and so he has done a wonderful job in that. Because, let’s face it, everything is data driven now. I think, for a long time here at UMC, we didn’t really realize the jewel that we had in terms of all the data we have because of how long we’ve been around.
But those were two areas. So security, I’m very strong, my ISO is very strong. I don’t have any issues. My director of IT, very strong, I have an IT background, very strong. Those two I felt very comfortable. But I was making sure, again, and being very thoughtful about the leaders over EHR, electronic health record, and over data management and analytics. I have a great management team that run each of their towers, if you will, or departments, and so we can fully support the hospital in all aspects.
Anthony: You perfectly answered the question and you understood exactly what I’m trying to get at. I guess the idea is that you need the flexibility built into the role so you can create that team around you which complements your skill set.
Maria: You know, Anthony, it’s interesting too because I have to imagine a lot of people that finally get to this role or any role, your role, others are very type A, like to control things, and it may have to be that way. I think if you’re passive and a wallflower, you’ll probably not going to get to these levels. Because it takes a lot, it really takes a lot of commitment and that strength. It’s hard to relinquish that. Because I’d be lying if I stood here and said it was very easy to delegate that.
But to your point, in order to be successful in the role and to be successful to the organization that you’re leading, you have to be able to recognize: I’m good at these things, but I’m going to need some people in here that are really good at those other things. Then, together, we’re all successful.
Anthony: Absolutely great point. And even some of the things you’re good at you, perhaps, shouldn’t be doing anymore when you are promoted to a higher level, because they will prevent you from focusing on what you’re now supposed to be doing.
Maria: You are so right and that is so true. Not only do you bring in those strong leaders that then can run their own respective areas in order to run a good operation but then it gives you that time to be able to do the strategic work. I have to say that was a bit of a challenge getting out of operations. Again, I’ve been in operations for a long time, whether it be security or IT, it’s an area of strength for me and it’s an area that I naturally fall back into.
Anthony: Of course.
Maria: I’ve been a CIO here for almost four years. You know what I didn’t know about this role? You sit on the outside looking in and think it’s this and that, and once you get on the other side and you really see what it is, it’s a whole new learning and development path in terms of again relinquishing some of the operational responsibilities, understanding strategy, the business, the finance. It’s just amazing what I’ve learned in the last four years – again, from the outside looking in before I was a CIO, I thought, ‘oh I can do that; that’s just director of IT on steroids.’ It is so not that. It is so not that role.
Anthony: That’s really interesting. Can you give me any more color for the directors out there that are aspirational to the CIO role, what would your best advice be to them to prepare for that role, things they should start maybe trying to learn about, meetings they should request if they could just sit it, ‘I just want to sit here and I’ll be quiet and I won’t say anything, but I just want to hear,’ – I don’t know, what are your thoughts there?
Maria: Anthony, you couldn’t be more spot on. Like I said, before I was the CIO here, I was the Director of IT and the ISO and I had communicated to my boss, at the time, the CIO, I intend to sit in your chair one day. Not before you’re ready to go, obviously.
Anthony: You clarified. (laughing)
Maria: That probably sounded a little threatening. And then he decided to retire and so it came a little faster than I had intended. Anyway, it all worked out and I got into it. I would say that one of the biggest things I’ve learned – and this is something I’ve been saying for a while now is it’s not IT and the business; it’s only the business. I think that in a way in IT, we have somehow relegated ourselves to these roles where we’re like satellites buzzing around the organization and we’re only called in when they need a new computer or something happens and then we buzz back out again. I think that if we speak that way, then in the minds of the stakeholders, the business leaders, they do think we’re just the commodity, we just make sure the computers are on. We’re not part of the building and the execution of the strategy of the organization.
If I were talking to myself 5 years ago or maybe talking to directors of IT or directors of security that aspire to these roles, you must understand the business you’re in. I’m in healthcare, I’m not in IT. I think about this, I never hear the CFO say it’s finance and the business. I never hear the Chief Nursing Officer say it’s nursing and the business. They speak the business because we are the business.
What I would say to anybody who’s looking to get into this role is every opportunity that you can, present yourself as a business leader with the technology background. You’re not a technology leader unless you work in a technology company. I know that’s probably nuanced, but it’s really important. It’s the way we present ourselves. Again, if we say things like it’s IT and the business, then we are actually saying we are separate from the business, and we’re not. So certainly make sure that, again, you’re presenting yourself – I am a part of the business. Whether I’m a tactical leader or a strategic leader, whichever role that I’m in, understand what business you’re in, what matters, what matters to UMC.
It’s not just the obvious, we deliver patient care – well, of course we do. We’re in healthcare. What matters? Do we have opportunities to grow market share? Where are they? What are we talking about in terms of where we’re going to open clinics? Is there a service line that’s suffering that we may need to, with technology, help grow; therefore, increasing our revenue? Are there opportunities where technology can help decrease cost?
You and I talk and, since we’ve been doing this awhile, those ideas sound natural coming off our tongues but that’s the language you speak. Never has my CEO – who I report to – asked me what percentage of storage we’re consuming or what’s our compute looks like. They don’t care. Those are tablestakes. They’re nothing that I’m ever going to talk to my peers, chiefs, my boss, the board about.
So I would say if anybody is thinking about it, anywhere that you can, you say committee meetings, ask to go to a staff meeting of a business unit and say, ‘I’ll present on technology, can I sit in and listen to some of the problems that you’re having.’ If you do that, you’re going to start picking up on what their business challenges are and then you’ll pick up again too on what their business is, right, whether it’s the pharmacy, it’s radiology, it’s cardiology, it’s EVS, it’s finance. That’s just not something I thought about.
Again, my thought was well, it’s just being the Director of IT, but on steroids, just more operational. Again, it couldn’t be more of a 180 from that. That’s what I would say to anybody thinking about it.
Anthony: Yup. You need to be there and offer ideas rather than just waiting for them to call you when they think they need IT.
Maria: Exactly. Or what will happen is they’ll create shadow IT. They’re going to work around you.
Anthony: Oh yeah.
Maria: Because if you don’t come to the table, they’ll ask their favorite vendor, and their vendor will say they have a technology solution. And then the next thing you know is you’re getting this call and they’re saying we’re implementing this system but we don’t need UMC IT, the vendor is helping us. So I think it’s one of those.
But again, I’ve been very, very intentional. I’ve used that word a lot because it’s been a really important part of what I’ve been doing with my own self development and professional development. It’s ‘we are the business.’ It’s never, ‘what’s your business problem,’ it’s, ‘what’s our business problem?’ Every project is a UMC project, every opportunity is a UMC opportunity or a challenge.
Now, I would be lying to anybody who’d be listening to this if I said this was easily done. It has taken me probably the better part of 18 months to 2 years of my 4-year CIO job to breakthrough. I’m not saying every organization and every leadership team is like that, some might be a little more advanced. Here, again, I’m coming in after a period of time of IT leaders that really did treat IT as ticket takers, just call us when you need something. We weren’t called to the table when we were thinking about opening a new clinic, starting a new service line, doing something like that, where from the beginning we could say, ‘these are the things we can do with technology.’
And maybe it’s not just technology, maybe even we have some business ideas. I’m a patient too. I might say, ‘well you know, I think our patients would do better if we did this.’ The feedback doesn’t necessarily have to be in my own swim lane of technology. I’m a business person too, so it’s asking good questions. But it’s taken awhile to change the credibility. Because remember I was promoted from within, if I came from the outside as a CIO, maybe the reception would have been different. Do you know what I mean? But I came in from the Director of IT and ISO to the CIO, so it’s hard to break people’s perception of you. They’ve only known me this way. I have to now show them a different Maria. That’s all on me.
Anthony: You were also bringing a different dynamic to the CIO role. So not only – it’s both those things which requires a lot of education and re-orientation and getting people comfortable with what you’re trying to do.
Maria: Right, exactly.
Anthony: We’re almost out of time. We’re actually at time. I’ll ask you one more question and then I’ll let you go. You mentioned the dynamic of being a type A personality. When you’re like that, it can be a mistake to manage that way, to expect that approach. As a leader, you have to be on watch for burnout. What are your thoughts? Is burnout a real thing you’re seeing?
Maria: Anthony, it’s very real. You’re absolutely right. I don’t think anybody had to tell us that healthcare was in the cross hairs of our adversaries, I mean, right. We’ve known that for some time now. Actually, it’s public knowledge about three years ago we were the victim of a ransomware attack here at UMC. I think, as a security practitioner, you always know that day is coming. You know the day came, we shed a few tears, did a few deep cleansing breaths and then we got to work. I think it’s a very real thing.
But it’s like anything, people that become police officers or firefighters or go into the military, it’s certainly understanding the job you’re going into, right. I think you’re built for that. If you’re not, then it’s probably not a role you go into. Do you live with the stress everyday that proverbial shoe is going to drop? We’ll be attacked again, it’s just the law of averages.
We make sure that our teams are ready. We exercise a lot. We run our incident response plan a lot so that they’re comfortable. Even when we had our security incident, it wasn’t about being punitive, who didn’t do what, who dropped the ball. We’re the victims, right, so we’re dealing with that. I think it’s again, of course, building an environment where unless I know somebody has done something intentional, it’s not punitive. We learn from all the things we do.
We’re constantly looking at our organization to see if we can improve. I think part of it too is we have a reasonable assurance. We don’t have an absolute assurance. No one has an absolute assurance that they’re not going to be attacked and if attacked, going to be able to fully defend themselves. It’s not possible. The adversaries have more money, more time, no laws, no scruples, no policies. They will always be ahead of us. Our goal here is just to make sure the adversary is within sight. We’re not going to get ahead of them but we can’t lose sight of what we’re working towards. It’s just a balance and I think, from my security team, they really like the fact that I have a security background because they don’t have to come in and have to tell me about that.
The stress is always there but, again, we have lots of type As in security too. They went into these jobs eyes wide open. It’s just really balancing that. But I think, again, it’s an environment of support. We talk about things. It’s not hair on fire, I’m not screaming at people. This is what we do all day every day. When it happens, like it did three years ago, and will happen again, keep calm, let’s just take care of things, let’s get the organization back to where it needs to be. I have an incredibly supportive CEO and board, so that helps as well. It’s a good relationship.
Anthony: That’s wonderful, Maria. It’s a great place to end things today. I want to thank you so much for your time. I really enjoyed it.
Maria: Thank you, Anthony. This has been wonderful.
Share Your Thoughts
You must be logged in to post a comment.