In this interview with healthsystemCIO’s Anthony Guerra, Bob Schlofelt, Executive Director and CISO at Valleywise Health, discusses:
- His experience in multiple industries;
- Why healthcare is up there with the most difficult industries to be a CISO (hint: because every doctor is another boss);
- Why the fact that many health system physicians are not employees makes IAM challenging;
- Keys to successful BCP (hint: practice, practice, practice);
- Thoughts on the merits of different CISO reporting setups;
- Keys to a great first 100-days plan for CISOs starting new positions;
- How to handle risk acceptance by business units (hint: document it)
LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE.
Podcast: Play in new window | Download ()
Subscribe: Apple Podcasts | Spotify | Android | Pandora | iHeartRadio | Podchaser | Podcast Index | Email | TuneIn | RSS
Anthony: Welcome to healthsystemCIO’s interview with Bob Schlofelt, Executive Director and CISO at Valleywise Health. I’m Anthony Guerra, Founder and Editor-in-Chief. Bob, thanks for joining me.
Bob: Thank you, Anthony. Appreciate the opportunity to talk to you.
Anthony: Awesome, Bob. Let’s start off with you telling me a little bit about your organization and your role.
Bob: I’m with Valleywise Health. We are a health system in Phoenix and the county hospital for Maricopa County. We used to be part of the county government, we sort of are now. We do get some of our revenue from county property taxes.
We are also what’s called the safety net hospital for the county. In the event there’s any kind of disaster, we get called up first. We’re also the POTUS hospital for Arizona. If the President or VPOTUS comes to town, they don’t necessarily stop by but if there’s an event we’re their first stop.
Anthony: I didn’t know that. Is there a designated hospital in every city?
Bob: It depends on the President and the Secret Service. There was one time last year when POTUS came to town and one of our other hospitals in the area was called upon because he was going to be visiting there anyway, it made sense for them to just do that. Myself and/or the CIO will get a call from Secret Service or advance team asking “are you guys ready, anything we need to know about, anything going on?”
When the VPOTUS came to town we had just moved into the new hospital so it’s kind of a showcase. It’s all brand new. That was one of the reasons we were picked again. Usually they’ll pick a government related facility, not just a private facility. Being a safety net hospital is just that, we’re the county entity for Maricopa County, the largest county, population wise, in the state.
Anthony: Very good. I know that you have spent the majority of your career outside of healthcare, correct? But in security?
Bob: I’ve been in and out. I’ve was in healthcare once before with St. Joseph Health in California. I was a Regional Security Officer, and I covered Texas and New Mexico. I was also with BASE, a life sciences company that made heart valves and then I came to Valleywise, a true health system.
Anthony: With that experience, do you have any thoughts in terms of what you see inside healthcare versus outside when it comes to cybersecurity, either a commitment to, a percentage of spend or even risk profile?
Bob: I think the risk profile is the same regardless of the industry. Because we’re a county hospital system, we are a target. If you think about the bad guys who try to get data, then try to get money. We have a lot of data. If you think about your medical record outside what your accountant or tax preparer have, we have everything. We have addresses, your medical history and in most cases, everything about your financials and employment records. I worked for Experian years ago. They have everything but they don’t have medical records; whereas we’ve got all of it.
From a cyber perspective, anytime we’re in the news, you’re going to be a bigger target and so we have that concern. Our CEO is on the news often talking about our new facilities. We also have a big foundation that is looking for funding, so we always try to promote ourselves.
From a cyber perspective though and I’ve had this conversation with some of my colleagues, data is data. We have healthcare data, we have patient data, whether you’re in healthcare, financial services, automotive, industries that I’ve been in before, mutual fund management, the data is the same. The tools, techniques, policies that we use to protect and monitor that data really don’t change from industry to industry. My last organization wasn’t healthcare but it was county as well, there’s a lot of people that are into public service. People who run for office, people that work for a different public, government entities, they’re not doing it to get rich, they’re doing it to serve. Some people call it servant leadership whether it be religious or government. They do it to serve.
Some of my colleagues at Valleywise Health have been here 20+ years. They came up through the help desk and now they’re senior leaders and directors and running big portions of the organization and I admire that. With security, the uniqueness is – again, I go back to the data. We protect the customer data so our patient data.
In healthcare systems the physicians or providers work for the medical group, they don’t work for the hospital. We work with them and partner with our medical group, just like a private hospital partners with their medical group.
When I was with St. Joseph Health, we had St. Jude Medical Group. They were the physicians. They’re all Providence now.
Anthony: That dynamic of having physicians that are not employed by the health system is pretty unique to health care. They need to have an identity and be on the network but they’re not employees, that’s pretty unique to healthcare, right? How much does that complicate things or make things more challenging?
Bob: It complicates to a certain degree depending on the partnership you have with the medical group. District Medical Group, DMG, which is the group that we work with, is also a teaching hospital so we support a lot of the medical schools in the area, Creighton, the University of Arizona. The physicians are here doing their residencies and then they come back maybe as attending later.
But the medical group, it is an interesting dynamic because they’re going to have their own unique identifiers. We onboard them as a pseudo employee in our access management systems because they need access to the medical record systems as much as the clinical staff does. It’s important to have that partnership with the medical group. Again, I think we have a really good partnership with our medical group. It’s getting better. Like any other partnership, it gets better over time.
With Nuance, there were changes in our medical record system when we moved to the new hospital. Different technologies come across. The technology piece is one that has really become more important in recent years. We have a 260-bed hospital which is pretty good size. If you think about the devices, everybody has a network connection, and there are computers all over the place and monitors everywhere. They’re all wireless, some of them are not devices that we can monitor through traditional security measures. Endpoint protection, and put an agent on their monitor, they don’t allow it. We’ve got IoT devices, that fine word, IoT. My refrigerator at home is an IoT device, how fun.
With IoT devices, monitoring the activity on those can be a challenge. Because we have multiple manufacturers that create devices whether it be infusion pumps or whatever it is, they’re all managed and they’re all on the network. We try to monitor the activities the best we can. But it’s that network fabric that we have to make sure is buttoned up. But then, we’ve all seen it before, they call them WSW, Workstation on Wheels. They’re all over. I mean they’re running around like crazy. We’ve got several hundred running around the hospital.
Those as well, they’re workstations that everybody uses. The authentication, you walk up, scan your badge, do your work, log out, walk away. Or if you walk away without logging out, then it logs you out shortly thereafter. It’s kind of like my truck. By the time I’m 50 feet away it locks all the doors. It’s no big deal.
The challenge is those kind of things you wouldn’t necessarily find in other industries. I’ve been in financial services, worked for a large mutual fund management company and everybody is at their workstation. Our biggest challenge was getting people to lock their computer when they get up to go grab lunch or go to a meeting. With the hospital system, it’s much more critical because it’s patient data sitting there.
So we have to audit that kind of thing and look for it. We have to walk around the facility and look for monitors that might be pointed in public view. If there’s something on the screen that should be only for the person working on it, then we have to make sure that they’re all strategically placed. We just went through an exercise of putting privacy screens on monitors and it took about a day for the nurses to say “no, no, get this thing off here. I can’t read it.” Because they’ll move around, they’ll have two nurses standing over their shoulder watching something. And unless you’re sitting right in front of it, you can’t read it. So those went away. We’re working on things like that. There are a lot of unique challenges in the hospital system.
Anthony: A couple of fun questions here. Would you say that healthcare is one of the most challenging industries to be a CISO? Give me your top three from most difficult to least.
Bob: I belong to a couple of security community groups so I have conversations with CISOs from a lot different industries including healthcare. Rank the most difficult or challenging – I think mine is the most challenging.
A couple of things come to mind – hospital systems have tighter budgets. Because for the most part they’re not for profit or their county. I have another CISO colleague friend who is in retail. They have stores all over, lots of them. Some are owned, some are franchised so you have that uniqueness there. That’s a lot of challenges, a whole different group of regulations. Some of it falls back to what regulatory body it’s under. In retail you have PCI. If you’re a hospital system you have HIPAA, and we all try to come together on some common ground.
The most challenging I would say is a tie between retail and healthcare because of the uniqueness and the vastness of it. We don’t have 100 stores around town but I have a couple dozen clinics and three acute care centers and a couple of medical buildings plus doctors and providers. I keep calling them doctors because I’m an old guy. They don’t work for the medical group and I love them, they’re critically important to our organization.
In most big organizations you’re going to have an executive team and executives want things their way. I would too. I do too. But they want what they want when they want it, and usually have a dozen or so executives, the Cs, I am including me as one of the Cs. But in a medical environment the physicians are considered Cs as well. You’ve got instead of 12 or 15 to work with, you’ve got 200, 300. Doctors I love, they’re smart people. Obviously, they went through medical school and I think I’m a pretty smart guy too. But I get a call all the time, “hey, we found this great technology, can I put it on your network?” No, you can’t.
Anthony: Do they ever say put it on your network as opposed to can you put it on your network?
Bob: No, no. Sometimes they’ve already done it and say “well, we’ve attached it to the Guest Wireless, can we get it over on the network?” No, no, no, no. no. Most of the organization I’ve been with have been Windows-based organizations and so with all of that technology and love with Microsoft, but then you get a few folks that love their Mac, they love their Apple, and you try to work with the endpoint protection. You ask “can I install this?” and they say “no, no, this is my personal one. You can’t put anything on this.” Then I say “you can’t put it on my network.”
Sometimes as a CISO, you have to say no, no. The other challenge are USB devices. One, we always train people if you find a USB stick in the parking lot, and it’s got a fun logo on it, don’t just bring it in and plug it in and see what’s on it because you’re asking for trouble. HIPAA requires – and I think it’s a HIPAA requirement, so correct me if I’m wrong – that as a patient, if you come in and say ‘I want my medical record on a CD’ or ‘I want it on a thumb drive,’ we have to do it. Obviously, we give them a pretty intensive disclosure saying once we hand this to you, we’re off the hook if you lose it. USB devices are a challenge.
Bob: Kelly Summers, our CIO, recruited me. Kelly retired a week and a half ago but remains as a contractor until they find his replacement. I admire him tremendously, all the work he’s put in. He got Valleywise to a point some years ago where they would issue iron keys instead of USB sticks and IT absorbed the cost. Iron keys are encrypted and password protected so we feel comfortable using them because our job is to protect the data.
Contractors, marketing, radiology and our bio-med teams, they all need to put documents on these devices and either trade them with others or use them elsewhere. Those are all challenges and we have a challenge now, let’s think about it – radiologists, great group of physicians and people that can read those images and it’s quite a talent. They want to work from home too. We set them up so that we can push pretty intense images, usually a lot of bandwidth space into a high resolution set-up they have at home.
The other dynamic we run into is physicians. Anthony, lets say that you went out and you got your medical degree and you go to work for a medical group that also serves other hospital systems. You might do work for Valleywise and Banner, and Honor and Children’s and, and, and, and. So from a data protection standpoint, you’ve got authorization to do work with Valleywise. But we have to make sure that (1) you’re not using your Valleywise equipment to do business with somebody else. Because wait a minute, we didn’t provide you the equipment to flourish your business. And then on the private side, a lot of physicians have their own “company.” Lots of challenges in those areas.
I coach my team on this regularly, actually as early as this morning. We talk about all the use cases, USB was a good one, all the use cases involved. I have to keep them focused on creating our policy for the 90%. Yes, there’s going to be that 10% that’s odd, but we focus on that 90%.
Healthcare and retail are the hardest CISO jobs and you work your way down the list, I think folks that are in manufacturing – I spent some time with Hyundai – it’s not as challenging because it’s pretty cut and dry. You’re working with franchises, you get in because the dealerships but the manufacturing side is your company. I’ve worked in engineering and construction, again, those are things that are pretty static, a lot of different things but it’s project managers and engineers. It’s pretty static to work through the policy there. Healthcare is changing, it’s always changing and research happens.
Anthony: If you have to have a tie breaker between healthcare and retail, in healthcare you’re dealing with patients, that’s got to put you over the top. Something goes wrong in healthcare, a patient could die. If something goes wrong in retail, maybe somebody gets their identity stolen, not a pleasant situation but nobody is dying.
Bob: Here is a good example of a failure in retail… my wife and I were out to dinner a week and a half ago at a local place and we hadn’t gotten our order yet but we got our drinks, then the power went out. “Sorry, we can’t cook or collect money so the restaurant is closed.” That was their problem. It would be the same with a cyber attack, “you can’t do it.” But in a hospital system, we’ve got backup power. But if we have an attack or you have a denial service ransomware, whatever you want, something, it can impact patient safety. Doctors took an oath to do no harm, and we do all we can to prevent any issues with patient safety. The redundancy over top of redundancies, especially in our critical care units, operating rooms, et cetera – for the power to go out in the middle of an operation especially if you’re the guy lying on the table is concerning. Those are the kind of things that take on a little bit different dynamic in a healthcare system.
I used to be involved in some groups that were on critical infrastructure. Natural disaster, who gets services first, second, third, fourth, fifth and it used to be hospital systems we’re usually the first online to get power back, to get any kind of services back. That changed, I don’t know, probably 8, 10 years ago where the ISPs, internet service providers, they’re first now.
Anthony: Really?
Bob: Everything is running on the internet. If you think about a hospital system, for us to bring our data center back up, that we can bring it up and work within the hospital, but all those IoT devices, sorry, without the internet we can’t support them. The ISPs are the first because first responders, the police and fire, ISPs, cell service, all those types, will come back up first. Everybody communicates that way.
Without them, I mean think about most businesses, even you and I talking right now, without the internet, we’d have to do this in a coffee shop, face to face. I mean we can have cameras recording it but after this is over, you do a little editing, click, click, and it’s published. And without it, there’s a lot more steps involved. The criticality of healthcare in that you’ve got to look at patient safety.
Anthony: Well, you make a lot of good points and the internet service providers and the cell service coming up first makes perfect sense. That sort of dovetails into a conversation we around business continuity and disaster recovery. What I’ve seen recently with some of these outages due to ransomware are that it’s extremely difficult to practice healthcare without the digital tools that the providers have been given. It’s so hard for them to continue to practice their craft without these tools, it’s almost impossible. That’s to your point about that’s why internet service provider and cell service are coming up first because it’s not much of a hospital without the technology anymore. How does that affect your business continuity planning?
Bob: Well, we exercise it. Along with the state and the county organizations we exercise business continuity. One of the things that we’re pushing more and more is, yes, we have an electronic records system and it’s one of the best out there, huge company out there out of Wisconsin. But can the physicians do paper charting anymore?
If they had to do it, if they had to have that chart in front of them and write their notes, yeah, they’re going to get transcribed later but it’s the same thing with ransomware, how quickly can we thwart the threat and recover. The disaster recovery and business continuity piece, we all strive for active-active data centers. We don’t have a lot of cloud so we have a pretty strong data center presence. Having that active-active data center is important because if we have denial service or ransomware attack that were to take down the data center, we would have to build them to block it off, fail over and get back to work because it’s patient safety again.
Another group within Valleywise practices the DRPs. It’s not just from a security or IT perspective, it’s from the hospital itself. They practice it so if we lost power for a short period of time or if we lost internet connectivity or we had some sort of threat, we’ve done active shooter threats, we’ve done bomb threats where things have to change real quickly.
In a hospital system too, there’s a lot of alerts that go off that we have to practice for. Code blues and we’ve got a new one. Until I started at Valleywise, our previous Chief Medical Information Officer said that in his 9 years, it never happened, a code pink. Code pink is a child abduction.
Somebody walks in the peds unit and scoops up a baby while nobody was paying attention and out the door they go. We have practice that one because it happened about the fourth day I was on the job. I asked “wow, how often does this happen?” And the physician who was our CMIO, said in his 9 years it’s never happened. It’s their first one. So those things happen and you have to practice.
I have military background too. Military, all they do is practice. That’s everything, they practice, practice, practice, hoping you never have to go to war, but you practice. So the hospital systems, same thing, we have these different codes, and it’s like people have to go to certain places at certain times. We get a code pink and they’re not just security people but hospital people. You’re assigned to a door, nobody goes out that door. Somebody scoops up a child or a baby and starts heading for the door who is not authorized and you’re stealing a baby, yeah, that’s a big deal. We have to practice these things, there’s procedures in place that local authorities are called. There’s announcements across the hospital, code pink, code pink, those kinds of things. There’s uniqueness there.
There’s uniqueness to our hospital system too because we’re a teaching hospital. We’ve got camera systems everywhere. Some are motion sensitive, some are sound sensitive, so they turn on and off. The patients and the visitors sign a disclaimer when you come in that yup, I’m aware that I’m being monitored.
As a teaching hospital, our trauma base, our operating rooms have the ability to record procedures for teaching purposes. For most procedures the patients are masked, you don’t know who it is. There’s no patient record with it. But still that’s data that we have to protect – who has access to it, who can copy it, how long do we retain it, a lot of policies involved. As a hospital system, we have data that we want to keep and use in perpetuity. If it’s for teaching purposes, we’re going to have them copied in the teaching library quickly but off the main systems. We are a county facility so Freedom of Information Act applies to us. Somebody’s file – I want to see this data, we have to produce it. Now for policy states it’s gone, it’s gone.
Anthony: Let’s jump into that real quick and we’re almost out of time. Amazingly, we’ve been talking for half hour. You mentioned policies a few times – is it possible to drown in policies? Tell me a little bit about your thoughts on how to get that right.
Bob: Well, I’m fortunate here. We have a Chief Compliance Officer and his shop handles all policies across the hospital including the IT policies. Now, my area, the CIO and myself, we’re responsible for the IT policies, enforcing them, and updating them. I have a dotted line reporting relationship with our Chief Compliance Officer so if there’s ever an IT issue, then I can just get it around my CIO.
He even said that when he hired me, “if you see that, you better report something up to Compliance. Protocol is you come to me from a chain of command perspective but you have a dotted line responsibility to the Chief Compliance Officer and the CEO. You can go to them directly.”
Anthony: And the point of that is that is so you could never say I was blocked by the CIO.
Bob: Yes. It would be very difficult for any CISO to enforce policy on his own department in IT in one meeting and your next meeting is you’re talking about your performance review. You could put yourself in a pretty sticky wicket.
Anthony: Are you talking about the challenges of reporting, a CISO reporting to the CIO because most places that’s how it’s done?
Bob: Most places that’s how it’s done. In my last shop I reported to the CEO; I didn’t report to the head of IT. Valleywise and Kelly Summers did this long before when he created the CISO position 9 years ago. He intentionally said no, this position has to have dotted line reporting to the Chief of Compliance as well as to me.
Now from day to day operational, I’m in the IT shop because my team has to have access and authority to do things within the IT organization to do their jobs. Like I said, in my last organization I reported to the CEO. We were outside of IT so we didn’t have the direct admin access that we needed to the engineering side if we weren’t in the IT shop, so then it was more driving policy and driving configuration.
It’s a challenge. I think it’s going to evolve. You’re probably old enough to remember that years ago, the guy in security was in the backroom, many layers down reporting up through IT managements, usually on the network team side. But now it’s becoming a parity where the CISO and the CIO are parallel, they’re peers, reporting up to either a Chief Operating Officer or sometimes the CFO. Some organizations I’ve been with the CISO reports to Legal.
A lot of time when you see that, the CISO would report up to legal but there is a security operations group that’s still in IT handling the day to day. The operation of the SIM, security operations components, managing endpoints, the technical side of this role where the policy shop would be the CISO and policy compliance, controls so they split the role. I’ve been a director of security operations and I’m at a level where I can be doing that at the same time.
Anthony: Bob, we’re almost out of time. I want to ask you one final question and then I’m going to let you go. You’ve got some diversified experience. You have your military background and background in a number of different industries. I want you to offer your best piece of advice for someone in your position, CISO, at a comparably sized health system. Maybe they’re new, maybe they’re starting out, maybe they’re in the middle of their career, maybe they don’t have all the diverse range of experience you have or the military background. What’s your best piece of advice to that person on how to be successful in the role?
Bob: Discipline is one of the things you have to consider. I’ve done it before and borrowed this information. Again, I belong to a couple of security communities, so we talk a lot. In the academia world, they call it plagiarism. In business, we call it best practices.
Any time I step into a new role, or if I’m helping mentor a new CISO, I develop a good 100-day plan. Meet all the stakeholders, get to know them, what they do, what their pain points are, both inside and outside the IT shop. My peers in the infrastructure and application development, service management, BMO, get to know them well. Then look at all the key stakeholders, all the divisions and departments that we serve, the customers and clients. I’ve gone away from calling them users because I learned that years ago that they’re customers and clients out there. Get to know them well. That’s kind of phase 1.
After you’ve done that assessment, you circle back with your boss, and redefine, “okay, you hired me to be – here’s my job description. After this conversation, here’s where I think it may need to change a little bit.” Then you start looking at what are the policies in place, what’s the latest assessments that are done, latest penetration test, outside assessment, what’s the budget challenges. I work for a county entity so budget is very critical. It’s hard to get. You have to justify it, not that they’re always going to get the cheapest but we want to make sure we get the best bang for our buck. Sometimes you’ll ask for a head count increase of three and you get one or you get none, depending budget. These are the county challenges, if you’re private sector, it can be a little bit different.
After you’ve done that, then you have to sit down as the CISO and say “okay, they hired me for my expertise, my background and my experience.” Kelly, myself, we both come from three or four different backgrounds. He was part of the original team that developed the SR-71 so he’s got a different background from the rest of us. So you’ve got to develop that 3 to 5 year plan on “my assessment, I’ve been here, I’ve looked at budgets and all the documentation,” continue to follow up with all that but then develop a plan. Here’s where I think it could go or should go. Part of that plan will be here’s what budget I will need to do that. Get an agreement on those things within your peer groups.
You can go to infrastructure and say “you got a lot of systems that need to be upgraded. It’s a risk to the organization and okay, let me help you, help you get budget for it.” But all along the way, it’s the constant communication. Anytime I have an opportunity to share my vision or what I’ve done with not just the CIO and my own peer group, like I said, I just came off a senior leaders meeting with everyone saying “I’ll share what I’m doing.” Because if you’re a CISO and you sit in a vacuum and try to make demands, your success is going to go downhill real fast. But if you work with those people and develop those relationships, then you can move things forward in a secure manner. You’re going to run into bumps along the way, you’re going to run into business units, you’re going to say “no, not going to do that. I’m going to do it this way.”
Then you have to be eloquent, present them with the risk and then also present them with “if you’re willing to take this risk, I need you to document that you’re willing to take this risk,“ and sign off on it. Because it’s happened more recently that we have an issue, we have a breach, we got attacked and the CISO has to update his resume. I’m to a point now in my career where I don’t want to update my resume again.
As a business unit, I’ll pick radiology. They’re a good one. They’re not doing any risk so I’m not throwing them under the bus. If they wanted to take some risks with the technology and then I say “no, I don’t want to do it,” and they have a compelling argument saying “we want to do it and we’ll accept the risk.” You’re signing off that you’re accepting the risks and this will be shared with the executive team and the Board. A lot of times they’re going to change their mind.
But if they don’t, then I’ve got my get out of jail free card. Six months later they might say, “hey, the system got breached. Hey CISO, what would you do about it?” They accepted the risk and we did everything we can to protect it but still they opened the door.
Anthony: Does that also go to, you do your rounds, you start the job, you do your rounds, you find out what the problems are, you develop your plan and you proposed your plan along with what you’ll need financially to execute your plan, the organization comes back and says we can give you half of what you’re saying you need to do what you think needs to be done.
Bob: Yup.
Anthony: How do you respond to that?
Bob: You respond to it from a risk perspective. You look at your plan, you would prioritize at that point saying “okay, I understand budgets. I understand you’re not going to just give me a blank check. I didn’t expect that. But then you go back with a list of the high risk items that we can do. These are the lower ones and you need to keep communicating that and then every opportunity you get to request budget or request some change like “okay, we can’t do it this way, we can do it this way and work it out.”
We have a relationship with the state of Arizona and the Department of Homeland Security, we are leveraged there and a lot of areas, they have tools we can utilize at no cost to us. You work at the priorities but the key to success here is constant communication with those who are going to be making the decisions. Being a trusted adviser, we hear that term all the time, we want to be a Trust Advisor. For me, my success here was when our CAO, Chief Administrative Officer or the CEO or the Chief Medical Officer, reached out to me directly, not through my boss, and ask questions or ask for advice ask if an email is real. That to me was the biggest success because they trusted me to just deal with it. They didn’t bother Kelly or head of infrastructure, any other department head. Okay, this smells funny in security, just call Bob.
To me, that was a mark of success when our CEO reaches out to me directly and says “Hey, did you see this article, how does this impact us?”
Anthony: Awesome. And you build that trust.
Bob: Build that trust through communication and sometimes you’re going to tell them bad news. I had one last week, we finished our open enrollment. We enrolled over to the new quarter and we got an open enrollment email blast. I was like whoa, whoa, this isn’t real. I quickly developed some comms and pushed it to the whole company saying if you got this email, delete it because we’re already done with open enrollment, so if you’re getting this, it isn’t from us.
Then, from my engineering team, my access manager team, trust they do their jobs. I don’t like to micromanage. I’m the management style of here’s our approach, here’s what we need to accomplish, here’s the time frames we need to accomplish it, and here’s what is expected of us, go do your job. My job is to stand between you and the bullets coming at us.
I tell the CIO, if we are ever working on an incident (and we have before), don’t call directly to one of my engineers to get data or don’t call me and say, ‘hey, I need you to talk to so and so to find out what the status is.’ I’ll get the status, you don’t get it. I’ll leave them alone because they have to do their job. Every time I have to call one of them and ask the status, it takes time away from what they’re doing. I get status with them on a regular cadence. If you want a status outside that cadence, then I’ve got to change my expectation of when it’s going to get done because you’re making me get in their way.
Anthony: That’s right.
Bob: Don’t get in their way.
Anthony: I love it. I love it, Bob. Bob, this was awesome conversation.
Bob: Thank you.
Anthony: I really appreciate your time today. Thank you so much.
Bob: Me too. Looking forward to seeing you.
Share Your Thoughts
You must be logged in to post a comment.