Published May 2023 –
Having served in provider roles, as a consultant, and now as a vendor executive, Drex DeFord, Executive Healthcare Strategist with CrowdStrike, has just about seen it all. As such, it’s not surprising he’s picked up some best practices along the way. Among them are how important governance is to ensure the IT department is working on the right things, how to handle reduced budgets, and the benefits of allowing everyone on the team to work at the top of their license. In this Partner Perspective interview with healthsystemCIO Founder and Editor-in-Chief Anthony Guerra, DeFord offers some keys to handling these issues and many others.
Podcast: Play in new window | Download (Duration: 55:07 — 37.8MB)
TOC
- CIO/CISO/CTO Dynamics
- Managing Tight Margins
- Governance is King
- The Right Way to Manage Shadow IT
- Third-Party Risk
- The Far End of the Cloud
- Up-Skilling Your Team
- Drex’s First 90 Days
Anthony: Drex, thanks for joining me.
Drex: Hey, happy to be here. Always a good time talking to you.
Anthony: Let’s start out, tell me a little bit about CrowdStrike and your role there.
Drex: Sure. I’m, as you said, the Executive Healthcare Strategist at CrowdStrike, it’s been an interesting path to get here. CrowdStrike is one of the world’s largest cybersecurity companies. We have a healthcare vertical that was started about five years ago.
My career path (as you know but as some of the listeners might not know) is a long-time healthcare CIO, 20 years in the US Air Force, CIO at small hospitals, large hospitals, hospital administrator but happened to specialized in information services, was the Chief Technology Officer for Air Force Health worldwide operations in DC before I retired, and then I went to Scripps and then Seattle Children’s and then Steward Healthcare as CIO, became an independent consultant and it turned out that, not intentionally, but I wound up having several cybersecurity companies as clients.
One of those was CrowdStrike as they started the healthcare vertical. I’ve been involved in the CrowdStrike healthcare vertical from the beginning. I don’t want to do a commercial about the product set and all the things that it does but I mean, ultimately, it boils down to is I very definitely don’t have a boring job to help stop breaches and to help healthcare organizations drive better, faster, cheaper, safer, easier access to care and more resilient operations, ultimately, in support of patients and families. The, “We Stop Breaches,” is really the core of what CrowdStrike is.
Anthony: When you were coming up as a CIO is it safe to say that the CISO role was not popular, was not in effect back then and therefore CIOs essentially functioned as CISOs and therefore they were quite security savvy?
Drex: There was definitely a long period of time where I think those jobs were consolidated but over time I think really as I got into the later years of my US Air Force job, there were more and more CISOs separate from CTOs, separate from CIOs and then once I went to Scripps Health, we had a completely separate CISO and the CISO actually didn’t even work in the information services department. They were part of the compliance team. I had security operations folks on my team that I had responsibility for but the CISO and a lot of the policy risk management conversations, those things happen in a model that kept the fox from watching the henhouse, which was a model that I really liked.
Anthony: You did like having the CISO not in IT, you like them over in compliance? You thought that worked?
Drex: I thought it worked, mostly because at one point when I was in DC, the CISO worked for me as the Chief Technology Officer and I realized that sometimes, not intentionally, but because I wrote that person’s ticket, right, because I wrote their annual review, there were times that when that person would be in conversations with us in the team and when we say something about like, “Well, I think we’re going to have to slip this project because we have some security requirements that we’re not going to meet, and so it’s going to take us another 30 days to get that done.” You would see the uncomfortableness in the CISO, not wanting to upset the apple cart. Not that their job is to upset the apple cart, but I never really wanted to put them in that position where it even felt like it was implied that I was asking them to do something that they didn’t want to do, that they didn’t think was right, that put the organization at risk.
Having them separate seems like a really good idea. I will tell you over time though as security operations has grown and changed, as the CISOs job has grown and changed and as we have deployed electronic health records and tons of other digital health stuff, those jobs have really almost come full circle and consolidated again.
I see a lot of CISOs/CTOs working in healthcare organizations, some of that has to do with tons and tons and tons of security operations stuff like patching and other things that needs to happen in the CTO’s department. Having a joint title in a single person at the top creates a situation where they can prioritize security work that they might not have prioritized otherwise.
It doesn’t matter to whom the CISO reports, I think it ultimately boils down to what’s the respect and the structure in the organization that allows the work to get done the way it should get done without excess undue influence from folks in the organization who might cause a challenge or a problem when it comes to cybersecurity.
Anthony: Right, right. A lot of them – I think probably from the ones I’ve talked to, we’re probably talking 80 to 90% reporting to the CIO. Do you feel like that’s accurate?
Drex: I would say yes. I would say at least half but maybe more than half. The other half is scattered across the organization, right. They might report to the CFO, sometimes they report to legal, very often too in the compliance chain of command somewhere.
Anthony: You just need respect, right? If you were the CIO who has the CISO reporting up to you, even though you could perhaps run roughshod over them and push through your innovation things, but that’s not good for the organization.
Drex: Yes. I mean, if you got the CISO, the compliance team and the information services leader, the CIO, or the Chief Digital Officer, working together very closely, the reporting relationship probably doesn’t matter that much.
Anthony: Interesting stuff. You’re out there, you’re talking to a lot of these folks as you’re dealing with customers’ perspective, prospective customers, what are some of the main things you’re hearing right now that they’re grappling with?
Drex: Yes, I spend time with certainly prospective customers but I spent a lot of time with our existing customers too. A lot of our conversations go as you can imagine in a lot of different directions because of just my background and experience. We talk about cybersecurity stuff. We talk about a lot of other things. Certainly, margins are tight right now. We hear a lot of conversations about margins, how is the organization thinking about driving to better value, the conversations around consolidation of multiple products, not just in the security suite but the whole application harmonization, consolidation process.
We see more and more partnering for everything, co-sourcing environment, everything from apps obviously to cybersecurity, in our case. Organizations who just realized that they really need to disrupt themselves. They need to do things differently but change is scary and so that’s a challenge that a lot of them are facing. Risks, obviously, is high, across the board – from a cyber perspective, absolutely. But risk is high for a lot of other reasons too. There are a lot of big digital health programs or projects that have been fielded or have been delayed and are being re-evaluated. There’s risk in all of that.
There’s a ton of merger and acquisition going on right now and that’s hard to do well. Risk is an important part of every conversation including who owns the risk. Then, all of that wraps together in a bunch of different ways. I see a lot more conversations about cloud and commitment to the cloud, the decision that we are in this sense of disruption. We are going to get out of the data center. We are going to get out of the data center as much as we can. It feels like the hybrid environment is here to stay and cloud will continue to grow.
There’s a lot of change, I think, happening in healthcare right now.
Anthony: Let’s start by going a little bit more into the tight margins. This is real, right, on the ground? How does this manifest itself, specifically, in a scenario? You’re a CIO or a CISO, as the economic conditions change and worsen, what happens? Is it a regular budget meeting where your CFO says, “Hey, I need you to cut back on what you’re spending,” or is it when you present the next budget and they say you have to reduce this by 30 percent?
Drex: Right. How do the orders come down? That probably varies by organization but based on the conversations that I’m having right now, it used to be that we did an annual budget. We submitted an annual budget and then sometime during that annual budget process, we justified the things that we needed to spend the money on and that got approved or disapproved and then we executed on that. Then, we came back next year with another annual budget.
In the meantime, there might be a few things that would happen over the course of that budget. We would have conversations with the CFO or board or other teams as needed, but mostly we were in control of our budget. It feels like today the budget cycle doesn’t end. There’s an annual budget that you submit but the feeling I get as I talk to a lot of CISOs and CIOs is that there may almost be like a monthly review of the budget now with the finance team, with the CFO’s team. You know, “What are we spending our money on, do we really need to spend this, can we delay it?” – there’s a lot of those conversations that are going on.
That can be super frustrating, right, for executives who are executors and want to get things done. This feels like a pretty major administrative finance exercise but I think in the core of it, when you talk about how do you react to it and how do you deal with it, a lot of it is really just I think being calm and put on your business hat and be the business person. I think you’re super transparent about everything that’s going on – here’s how we’re spending our money, these are the things that are coming up this month, these are the things that are coming up this quarter, here’s new requirements that have dropped in on me for one reason or another, it could be regulation, it could be something else, things break.
If you’re a CIO, in your domain, things break and you have to keep up on that. I think the key is just being really, really transparent, and then I think demonstrating again and again to the finance team and the CFO that you’re doing everything you can to improve your operations, to squeeze out every dollar, to disrupt yourself, to do the things you need to do to make sure that you’re providing great service and great capabilities to business, clinical and research operators, but you’re doing it in the most efficient way possible that you can come up with.
Good governance is obviously a huge part of this. A big challenge in every health system that I’ve ever been to in the early stages of the conversation, when I just arrived, a lot of it has to do with governance or lack of governance. They might say they have a governance process in place, they have a list of projects, but it can be a challenge – everything from just managing those projects well and making sure they are implemented on time and they have good business sponsors and good business plans and all of that, but it can be all the way through.
Just sometimes in organizations when you say no in the governance process that’s almost permission for those departments to go out and try to do something on their own and that leakage, that challenge of pulling resources away from what needs to be done and has been approved to other sorts of projects, those little subversive, in some ways, operations to the governance process can be a real challenge. Then, I know ROI and value documentation can be a real challenge but I think they’re incredibly important in the governance process and in the transparency process.
A lot of this has to do with having solid business plans and working those plans with your clinical business and research operators so that they’ve got really good plans. Most of the projects that information services has, IT projects are not really IT projects, they are business, clinical or research projects that are supported heavily by the information services team because there are information services components of it. But the things that cause those projects ultimately, in large part, to be delayed or to fail or to have cause over runs are the people and process components which were owned by the business, clinical or research leaders who really should be pulling those projects into place.
A lot of this again comes back to governance and transparency, helping everybody understand what’s really needed for the department to run as efficiently as possible and the realization, I think also, that most of the stuff that we run in information services, we run for someone else. Across the board, cut this by 10%, should then be a conversation with business, clinical and research operators, leaders around what 10% do you want me to cut because it can’t be an independent decision on your part. You really have to co-opt them into it. By doing that, you’ll also get good support, good teammates who will help root for the cause when it comes to budget challenges.
Anthony: When we’re talking about governance here, we’re talking about the business deciding how IT dollars are going to be spent and which projects are going to be funded, correct?
Drex: Yes, prioritization in general, right. In the places where I’ve been, we always have consolidated governance processes. There was a sub process for facilities (I mean, this is mostly built around the CapEx model, but it was a project for facilities), there was one for medical equipment, and there was one for information services and then we had a joint session of governance where we made decisions and re-looked at our decisions on a very regular basis, saying we have the resources to do the projects down to this line.
Everything above the line we’re going to do and everything below the line, even though they’re really great ideas, don’t get us wrong, these are not stupid ideas, some of them they’re like no-brainers, but we’re going to actively say no to the things below the line. This governance process is not just about prioritization, it’s also about sending the message out to the organization that the things below the line that we’ve actively said no to, I need everyone in the organization to say no to those projects. Don’t spin off a little thing on your own to do this on the down low. That’s not what the governance process is. It’s not what the leadership of the organization wants.
This is a lot about helping people stay focused in an environment that doesn’t have the resources to do everything that everyone wants. That’s a really hard thing for us in healthcare. I think it’s a hard thing for a lot of businesses in general. I think it’s a hard thing for a lot of people individually, it’s why we carry so much credit card debt and other things, sometimes even personally. But it really is just about prioritization, first things first, being really clear about what you’re going to do, what you’re really going to put your shoulder against and then, being really clear about the things that you are not going to do right now.
Some of those things can be like we’re not going to spend money on this thing below the line but if you want to put effort into improving the processes that are tied to this thing that you want to buy, you should absolutely go ahead and do that. Because that might more clearly define the technology that we need to improve that process, right. It may mean, ultimately, it costs less money because you’ve improved the process; so much that really you figured out just the tiny thing that really needs to be automated instead of having this giant project and that may get above the line and be something we can do.
The governance process is complicated. As an independent consultant, I spend a lot of time with health systems and other companies working through governance. It’s one of my favorite things.
Anthony: Who designs the governance process? Is it the CIO who’s designing that process? Can the CIO change it or is that CEO-level stuff?
Drex: I mean ultimately you want to get the CEO on board with it if you don’t have a governance process. Sometimes, it’s sitting down with the CEO and walking through the whole governance conversation, what it is and what it means and how it works, and does this solve some of the problems that you see that are chronic problems in the organization?
For me, often, these were conversations during the interview process. As I came to the organization, I asked a lot of questions about governance and how they prioritize and how they decided what they weren’t going to do, and what I often heard in those interviews, and often part of the reason I took the job is that yes, we don’t do that well. We struggle with that a lot. How have you seen it done right? You know when you start to get those questions that you really have an opportunity to lead on that.
It’s the same, not just with governance but with lots of things as information services leaders, the CIO or Chief Digital Officer, you have interesting opportunities because of the way the CIO job, CDO job, works, you have your fingers in so many pies across the organization, you can find opportunities to help the organization run more efficiently and become better stewards for the dollars and the resources that they have.
Then, if you lean into that I think that’s the reason you have seen more and more progression of CIOs, the Chief Digital Officers, to maybe the Chief Operating Officer or having other clinical or business operations responsibilities beside traditional CIO jobs, and some of them moving up into the big job. I think you just get a great view of the world from the CIO seat and from the CISO seat too. They’re involved in everything.
The Right Way to Manage Shadow IT
Anthony: Right. Well, there’s a lot of connections here. We go from governance to shadow IT, and it makes me think of how hard it is when the business units have their own budget and they can just go buy IT stuff.
Drex: Yes, for sure. You’ve heard me say this before and it sounds very cliché but everything is connected to everything else. Absolutely. In this governance process, conversations with supply chain, conversations with the finance team, saying, “Anything that comes through that looks like it’s an attempt to buy or pay for something that might have an IT smell, send that over to us, we need to see it.” This is where you start to create the situation where you have some line of sight to the things that are happening.
Most of the time when you show up as a new CIO or a new CISO to an organization that is in the turnaround process, or has been in a bit of turmoil, you show up into a situation where there are hobby shops, there are shadow IT departments, you’re starting off already in that situation.
The right way to do that, in my opinion, from my experience, has been not immediately try to go in and say, “We’re shutting down all the shadow IT,” it becomes a, “I need to know and understand what you’re doing and why you’re doing it, I’m not going to try to shut it down but we need to understand the things that you’re doing and why you’re doing it so that we can build the capacity to support you.”
What happens over time is as you understand that, as you invite those individuals who are running those shadow IT departments to your information services department meeting and make them feel like part of the team, and they start to see the improvements in the information services department and the way that you work and the way that you run operations, the way that you manage security, they will come to you fairly quickly and say, “I never really wanted to do this, can you take it off my hands?” That turns into a conversation around, “Yup, we can, but we also need the resources that you’ve expended on that, those need to transfer into our budget, potentially FTEs need to transfer into our budget.”
You can slowly but surely make progress decomposing the shadow IT world, but you’re never going to get rid of all of it, I don’t think. In some cases, it’s probably good that some of those departments have their own services and their own capabilities, and that gets into another conversation then. Sometimes, for the CISO, it’s, “Look the only reason I have to do this particular piece of work is to secure this PCI thing or this other thing that you’re doing in your department. How about I bill you like a utility to support that piece of work that I have to do from a cybersecurity perspective to take care of your application.” Now, you may get pushback on that.
The next conversation is, “Let’s talk about if you didn’t have support from us for that piece of work, how much revenue would the organization lose because you’d have to take that off line?” That becomes the business plan, right? This becomes what’s the value of what we do? The work that we do contributes what to revenue bottom or to whatever the metrics or the measures or the KPIs are that that department has. A lot of this is like, “Don’t get mad and be emotional,” a lot of it is just take a step back and take a breath. Most of you went to business school or some version of business school, use the things that you’ve learned over your academic career, use the things that you’ve learned over the course of your information services career and find some good solutions for everyone. They’re there, you just sometimes have to dig for them, right.
Anthony: You’re definitely not black and white when it comes to shadow IT. You believe in managing it with a more nuanced approach.
Drex: Yes, if know it’s there and we can see it, we can definitely have conversations about securing it and then we start to have conversations about how do we spin it down. You can run a whole project around turning all the shadow IT off or, as you improve performance, I guarantee you a lot of those shadow IT departments will come to you and say, “It looks like you have your act together, please take this. I never really wanted to do it in the first place. The only reason we started doing it was because your department couldn’t,” and they will offload it, and then it’s a resource conversation.
Anthony: Third-party application reviews are becoming a huge challenge for IT departments and CISOs. This relates to shadow IT too. Are we seeing more of this because it’s easier to make a department-level buy and not involve IT when it’s a cloud app?
Drex: Yes, absolutely. Shadow IT has become easier to do because you can do it with a credit card now. Thus, my reference to make sure you’re working with your finance folks and as they see credit card receipts come across from departments, if there are things that look like they’re IT, we need to talk about it. It allows you to catch things early and then have a conversation before the department gets too addicted to whatever it is they’ve decided to do as a one-off thing with a credit card.
But when it comes to third party risk review, I mean, you can go to the HHS Wall of Shame and do a sort on how many of the breaches that are shown on the Wall of Shame are tied to business associates, and it’s a significant number. That is risk that continues to grow. For a lot of reasons, right, I think as we become more and more mature in healthcare and we start to say, “Okay, I’m not going to run all of this in my data center, I am going to run it in another place.” What we mean by cloud fits on a spectrum now, right? On the left end of the spectrum is Office 365. It doesn’t run in our data center anymore, it runs in the cloud. It’s not really a traditional cloud workload but it’s a thing that we don’t do here, that’s cloud, right?
Then, a little bit to the right of that, are the applications, software as a service stuff that we do and that can include things like electronic health record hosting and other stuff. We don’t do that here. That’s in the cloud.
On the far right side, there’s the real traditional cloud workload kinds of things. I think healthcare mostly is in the middle of this continuum right now. A lot of work around moving stuff off premise and into the software as a service world, some cases moving into the more traditional hardcore cloud workload stuff. The reality is in all of that though, there is the security challenge.
You don’t lose your responsibility for security just because you’ve moved it somewhere else. That’s why third party risk management programs turn out to be really, really important right now. They take a lot of time. They take a lot of effort. There are partners that you can work with, not CrowdStrike in particular, but there are some really great partners out there that you can work with that can help you with your third party risk management programs.
But understanding how those software as a service partners work, how they secure their environment, what the products are that they use, and this isn’t a one-time event, right. Once, you’ve checked them out and vetted them to say it’s okay if we use them or if we make that investment in a partnership, you have to continue to stay on top of that because threats change, the environment changes, how they’re doing their business and their back ends changes and you need to be able to stay on top of that.
Really hard to do, right? Because most organizations have sometimes hundreds of these things running but they really get their program to stay on top of them because that’s a route into your organization.
That’s one concern. You’re a route out of your organization to them. In many ways, you want to make sure that they’re secure and they want to make sure that you’re secure. The other challenge in all this too is not just the pure cybersecurity aspect of it, but often – well, not often, in almost all those cases you’re putting data in their cloud, right, in their application. You’re probably not alone if they’re smart and this is a good business model for them. They have several healthcare customers who are using their cloud. It makes their cloud a real target for adversaries too because they only have to bust into one organization to get access to multiple health systems data.
As a group, you all should be working together on individual vendors to make sure that they’re secure in doing the things that they should do to secure your data. Then, the last thing I’d say about it is that you are moving data out there. Do you know what that data is? Do you know what data you have at risk in each of those applications as part of a third party risk management program?
But data management in general is something that a lot of health systems struggle with, understanding where their data is, what data is at risk, where it’s stored, how it’s moved, how it’s consolidated from multiple applications into a database or spreadsheets that’s used by an individual department. As it turns out, that spreadsheet could be the real crown jewels of the organization. We’re used to securing individual applications but because of the reporting that we pulled, that a frontline manager has pulled out of those individual applications and consolidated into a spreadsheet, that turns out to be an incredibly valuable asset, and you may not even know that it exists on a shared drive somewhere.
So there’s a lot of challenges for healthcare today when it comes to cybersecurity data management, third party risk management.
Anthony: Interesting. I like the way you laid it out with the spectrum of cloud. If you’re going to be running your own cloud instance on one of the big three, you better know what you’re doing.
Drex: Yes, for sure. It is a continuum, right. It is a progression that I think most health systems make over time, and when they get to the right side, the right end of that spectrum, AWS or Azure or Google, as they start to actually make the decision to move workloads there and manage those workloads themselves, this is a special skill. It’s a special talent.
You may have amazing people that are really great at running on premise solutions and on premise servers and on premise workloads, the cloud is different and takes special skill to run well and manage well because you’re spinning instances up and down, spinning workloads up and down. It’s really easy to have a misconfiguration.
We know that there are lots of adversaries who are constantly looking at the cloud, trying to find those workload instances, those installations in the cloud where a misconfiguration has occurred and that gives them access to not only the cloud but often allows them to path back into the organization. It’s not a rare thing, it’s actually a very common thing.
I would say that, from a cybersecurity perspective, make sure you’re working with partners who can see that whole continuum from the frontline endpoint through server through cloud and can help identify, not only indicators of compromise (something really going on that’s bad and needs to be resolved right away), and indicators of attack (those things where there are particular behaviors that would lead you to believe that there is an attack underway so that you can cut it off), but also indicators of misconfiguration.
Because those are just the simple things that are easy to overlook especially if you don’t have experience in the cloud and you’re just initially making those moves. Work with partners who can help you secure that environment, that whole environment.
Anthony: Dealing with people is the hard stuff, right, especially for technology folks. Getting human beings to change is very hard. What’s your best advice for CIOs and CISOs who need to rebalance or upskill their teams?
Drex: You know your team better than anyone else, and I think it takes spending time with them and understanding what they are capable of and what do they want to do, right. That can be the other challenge – is that there may be much better ways to manage the work that’s of higher value and lower cost than how they do it today. Part of that challenge as a leader, and I’ve already mentioned disruption, but you have to be disruptive yourself. Just because your team wants to continue a particular piece of work, if that’s not the right decision for the organization, you may have to disrupt that.
I think that includes giving them opportunities to change, giving them all the opportunities that you can to upscale and change their skills. Some of them will be up for it, some of them may not. If they’re up for it, do your best to give them the right training and help them make that transition. You may take some of that work, like you said, and co-source it or transfer some of that work to partners but, from our perspective, that’s never an outsourcing conversation, that really is a co-sourcing conversation.
That’s about taking things that are just run more efficiently outside the organization and letting them run outside the organization, in many ways, so that you can take the people that you have on your team and let them upskill to the really hard stuff that you need to do inside the hospital or inside the health system. It is a hard conversation. It is a tough conversation. I think you have to look at all of the resources that you have, human resources, your partners, new capabilities that you may not be using today, and figure out what’s the right mix.
Yes, they are humans, they are people that you’ve known and that you’ve worked with, in some cases, maybe for years and years. You don’t want to leave them behind but part of this is the leadership and coaching that is helping them do new and different and interesting and maybe even harder and more fun work than they do today.
Anthony: Well, here’s my opinion on this.
Drex: Let it rip.
Anthony: My opinion is that you start off with the premise that these individuals are interested in the success of the organization. Let’s have that as a premise.
Drex: I like it.
Anthony: If we’re wrong there, then we have the wrong person on the team. But then you explain why we need to do this. Here is why. This is what we need to be doing. I want you to come on the journey with me but I need you to no longer just punch in the same things you’ve been punching in on the computer for 30 years. I need you to come with me and learn this new thing. What do you think?
Drex: I think the transparency part of that is incredibly important, right. We’re doing it, it’s not random, not just making a one-off decision, right. It’s part of a larger strategy and here’s why we’re doing it. These are the things we’re trying to protect in the organization. This is the risk that we see in the environment both internally and externally. Be transparent about that. If people are truly mission focused and mission oriented, to your point, if you have a good plan, they will come along for the ride. They will come along for the journey and they’ll do the things that they need to do.
I’ll tell you that most of the people I’ve ever worked with in healthcare, a big part of why they’re there is patients and families. They’re super motivated, realizing that in some cases they have been a patient in their past and it’s caused them to move into the healthcare industry and try to make healthcare better, or they have family that have been patients. I’ve been really healthy {knock on wood}, most of my life but I know that I’m going to be a patient someday. I really need the healthcare system to be better than it is today when I’m admitted to a hospital.
For all those reasons, I think people that are in it for the mission can be motivated to change, even though change is hard for everyone. I think given the right information, given that transparency, they can be flexible and do different things as part of the disruptive process to create better care for patients and families.
Anthony: Yes, but when it doesn’t work, when you don’t get the buy-in, you can’t just let that fester, right? You need to make a change.
Drex: Back to the people process part of it, right – I can tell you that every place I’ve been and been part of a turnaround, there’s always been – I don’t know, I use this term it may not be appropriate but there have always been internal terrorists, right.
Anthony: Right.
Drex: Inside the organization. People that everybody in the organization agrees they don’t fit and they’re very disruptive. Everybody bends over backwards to try to accommodate them because they have some key role in the organization that if they’re not there to push that button every day at 2:00, the organization will fall apart, right.
Anthony: Right, right.
Drex: You talk to them, you try to get them on board. You try to get them in the right place and if they won’t come along, in many cases, I’ve had to let those folks go. I can tell you what happens when I let them go. Usually what happens is there will be a rush from across the team to me, saying, “Thank goodness, what took so long? I can’t believe that guy or that person hung around for that long. They cause chaos everywhere.” Then, in the next breath, they will say, “We’ll do anything we need to do to help cover that gap while we figure out maybe what that person was really doing. We don’t want the organization fall apart. What do we need to do to help you figure that out?” What you get is a ton of goodwill across the organization.
I’ll tell you, the other thing that I see. I’ve seen regularly myself but I continue to see in organizations today is that when a CIO goes into an organization, they may get that same feedback about an individual but it turns out that individual maybe is really good and working really hard, they’ve just somehow wound up in the wrong job, and it’s caused them to act out or have other challenges and issues. Again, it requires some time sitting down with the person and understanding what they’re doing and how they got into that job and sometimes a demotion might even be the best thing – and the person will agree, absolutely. “This is just not the right job for me, can I just go back – I was a great analyst.”
Anthony: 100%.
Drex: You move them back into those roles. You do something else with them. You can give them a different job and they turn out to be 5-star performers. You just have to find the right spot.
Anthony: Absolutely, great advice. I want to ask you one more question before I let you go. We’re way over on time but I’ve enjoyed this too much. If Drex DeFord is taking over as – let’s make you a CISO at a sizable health system in the country, let’s give you 10 hospitals, and you’re taking over, what do your first 90 days look like?
Drex: I would probably do what I have always done in those new situations and that’s inventory what’s there, who are the people, what’s the situation looks like, you try to get the lay of the land as quickly as possible. You look inside the department, you look outside the department. You talk to other folks who have an opinion about how your department runs and what’s good and what’s bad. You immediately start looking for opportunities for efficiency.
How do I create opportunity for the people that are there who seemed like they’re a good fit to work at the top of their license so what can I take off their plate and transition – especially the boring work or the stuff that they need help with because it bogs them down, right. I’m going to try to get those things off their plate, and that may mean investment in partners to do some of that work so that I can push my team’s skills to the top of their license.
I want to make sure that the work that we’re doing really does map to our digital health investments, clinical, business, research, operations, and that we’re protecting those assets. That probably would inform much of a hybrid strategy if I went into a 10-hospital health system today. I probably would be thinking hard about the cloud and what are we going to move to the cloud, and somewhere on that spectrum, in that inventory, where are we in that cloud journey, and then that creates the plan for timelines and business plans and ROI and value realization, expectations that I would have for the plan that I would put together and then ultimately the process that I would use to report out on our ability to actually achieve those capabilities.
I’ll try to do all that in the structure of the governance process. If one didn’t exist or if one existed, I’d probably try to change it to make it easier to understand, to be more participative for business, clinical and research operators. I mean, it’s a good theoretical, I would say that what I’ve done every place I’ve gone is something like that so I probably would take a very similar approach and see. Once you get something off the ground for 90 days or 100 days, you see how it works, and then you adjust. A big part of all of this is I don’t want to build monuments that I can’t move as part of that design.
I want to create a very agile structure – my teams have heard me refer to semper gumby, always flexible, right. Terrible Latin, made up Latin, but semper gumby – so this idea that I’m going to build a structure that we can change and move and adjust quickly. Because the environment that we’re in today in healthcare, and from a cybersecurity perspective, is changing so fast that you basically have to build something that can move faster than the changing environment, faster than the adversary from a cybersecurity perspective.
If you can do that, then you built a good plan, you built a good program, you built a good department and you’re going to be successful at your mission. If you have a bunch of anchors that are going to hold you back, it’s going to create a situation where there can be a lot of stress and strain where maybe it’s just not necessary.
Anthony: And you relate that flexibility to cloud? A lot of people talk about that when they talk about cloud.
Drex: I think it can be – back to people, process, technology, I think the technology is obviously an important part of this but a lot of it is the people, process part too. How are we going to build structures to make decisions about the work, governance structures that inform the work we’re going to do and the work we’re not going to do. Cloud certainly gives you a lot of flexibility but, as with everything, all good things come with a different set of risks. You need to understand those. You need to be able to deal and cope with those, but I think it gives you a lot of flexibility that on-prem doesn’t today.
Anthony: Drex, that’s about all we have time for today. Great conversation. I really enjoyed it.
Drex: Thank you. This is one of the best interviews I’ve ever done, Anthony.
Anthony: I paid him to say that, folks. I paid him to say that. I owe you $20. (laughing)
Drex: Thank you, buddy. Appreciate it.
Anthony: Thanks, buddy.