Published November 2022
“There’s no secret there that other countries are attacking us,” says Dennis Leber, PhD, interim chief CISO at UConn Health. And this puts a huge responsibility on the shoulders of a CISO. But in the end, the ultimate responsibility for making big security-related calls lies with the organization’s top leaders, and CISOs have to find a way to give them all the information they need to make those decisions. In this interview with Anthony Guerra, healthsystemCIO founder and editor-in-chief, Leber – who has been chasing after the bad guys for a long time; first in the military, then in a career as a police officer and now as a CISO – says that CISOs and CEOs often don’t use the same language when it comes to talking cybersecurity risk, and that’s why it’s important to use a CEO’s language rather than cyber-speak.
LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE.
Folks have been scamming other folks as long as there’s been folks. It’s the shell games, the three-card Monty. Now we just do it with computers and social engineering.
How do we put those checks in place, considering human psychology, that will eliminate or vastly reduce the ability to have that plane crash, and we need to mirror that into our cybersecurity industry programs.
So it’s not necessarily that you want to inform, coach, mentor or train the CEO on the language that you use, but you want to use their language more, and be able to relate that back to your team.
It’s not in a vacuum or silo. It takes a community. You are going to not be very effective, and you’re going to be very frustrated, if you’re trying to go it alone.
Guerra: Dennis, thanks for joining me.
Leber: Happy to be here. Thanks for having me.
Guerra: All right, great. Thank you. Dennis, do you want to tell me a little bit about UConn Health and your role over there?
Leber: Sure. I am serving as the interim CISO at UConn Health. UConn Health is approximately a 300-bed hospital serving Connecticut and the residents there in the Connecticut-Hartford-Farmington area. We have two schools, College of Medicine, College of Dentistry. And so it’s a learning hospital. Like most hospitals, we have a nice research branch, and we have a population demographic of researchers as well.
Guerra: Excellent, very good. All right. I always like to ask folks in the CISO role how they came to be where they are. So how did you specifically come to wind up in the security side of healthcare information technology?
Leber: So it was a career change for me. I got out of high school and went in the military – in the Marines. When I got out of the Marine Corps, I came back home looking for a job. I actually joined the police department. Never really had a desire to be a police officer. It just sounded like a good job, and it paid well. And I did it for a long time. But I also noticed a lot of police officers when they retired, they were retiring and coming back to work as police officers. And I’m originally from Louisville, Kentucky. And so you have two big Ford plants in Louisville. And I was watching friends that work at UPS and Ford and when they retired, they didn’t go work for Chevy. Or if you worked at UPS and you retired, you didn’t go work for FedEx, right? So I started really looking inward and said, “I’ve got to be worth more than that.” And not that that’s a bad profession. But it was like, I don’t want to retire and go right back to a job I retired from.
I’ve always had a knack for computers. So I changed careers; actually went to work for UPS because they help pay for school and the military helped pay for school through the GI bill. Started taking courses. Took cybersecurity courses. That was my Bachelor of Science. Took a master’s course in information systems. And I was also in the reserves at the time. So I started talking to the unit and started working in what they call the S6 Communications. But it’s computers. So I started getting certifications and trainings and firsthand experience through the military, which just sparked it and from there, I just ran with it.
I got called back to active duty in the military and reserves. Continued that education and training. And then when I left the reserves, I started my first IT job as a civilian. And I just went from there. Everywhere I went, I built my career. If they didn’t have cybersecurity programs, I built a cybersecurity program; I took on the responsibility of cybersecurity. And continued to learn, continued to get certifications – just became a sponge for knowledge of IT and cybersecurity.
So even one of my first leadership jobs was basically an IT director. But I took on that role of cybersecurity as well. And then finally landed my first CISO role. That was always the aspiration, and once I started getting into this technology, it was cybersecurity, and I just had an acumen for it. It resonated with me. And now you know, I’m on my third, technically, CISO role. And they’ve been rewarding. I try to pick the roles and make changes when they enhance my career, enhance my ability and knowledge.
And then from there, I try to give back. I don’t post as much on LinkedIn as I used to just simply because of time, but I’m an adjunct professor at four different universities and I try to teach and try to give back. I try to mentor the teams that I have. And I found cybersecurity not only is a career in the industry, but it’s a hobby, and I think that’s for a lot of folks in cybersecurity, you know, we all focus on different parts like pen testing, or governance, but it’s something that when I’m not doing it at work, I find myself reading about it or writing about it or learning more about it, you know, following some of the pen testers on Twitter and looking at the insights and learning from them. So, it’s a hobby as well as a career.
Guerra: So, a couple of things there. Number one is, you are the second, not the first, former police officer I’ve spoken to who’s a CISO in healthcare. That’s interesting. Number two is, when you think about it, you wanted to change careers – in a sense you did and in a sense you didn’t. You’re still catching bad guys.
Leber: Yes, you know, it’s more rewarding in cybersecurity too. It’s truly folks that are trying to hurt folks. You know, sometimes police officers go after people down on their luck that are sick. You know, with cybersecurity, it’s truly a crime. And it’s a nation state. You know, I look at it and can relate it to those two areas. Being a police officer lent me some experience with investigation, and I still want to protect my organization and the folks that work in our nation, as well as when I was in the military. There’s a lot of nation state actors. There’s no secret there that other countries are attacking us. So tying it in from being in the military and protecting our nation to being a police officer and protecting communities, there is a lot of relatable experience there.
Guerra: It’s interesting, it made me think that when we talk about security incidents, we always talk about trying to prevent them, we talk about stopping them, dealing with them when they’re ongoing, getting the individuals out of your network. But it seems like that’s where it ends. We don’t talk about getting them. That gets, I guess, turned over to the FBI, and things like that. Is that how it works in your role? It’s just about preventing them and then getting them out. And then it gets turned over to law enforcement?
Leber: You know, it depends. We know cybercrime is a crime. But does everything get turned over to law enforcement? I don’t think so. Right? No, I mean, every time someone’s probing your network, technically, it’s unauthorized access. If it were our house, we’d call it trespassing or burglary. When it’s our computer systems, it’s still a crime, but not necessarily always pursued like a crime. I think it’d be overwhelming. I don’t think we have a legal infrastructure to address every single crime. And that’s true in society. I mean, I know as a police officer, there’s times when you give warnings based on the situation. Can you catch every burglar in the neighborhood? Well, you might be catching one but there’s three more down the street. I mean, those are reported. But what’s done about it? You don’t have a description. You weren’t home, you don’t have video, so we know the crime occurred, but there’s no pursuit of that. So cybersecurity is similar to that.
Guerra: Well, is there a gray area where we say, “Yes, this one really is not reportable, or yes, this one is reportable,” where it’s not absolutely black and white every time – it’s a judgment call?
Leber: No, I think you have these regulatory controls, you have requirements, you have state laws, a lot of those spell out when and how you report what you report. Especially with the cybersecurity insurance industry, there’s still a lot of that, you know, like HIPAA, there’s clear guidance on what you report, what you don’t report, right? There’s even timeframes around when you report, how fast you’ve got to report.
Guerra: Well, there’s a breach or incident going on now. We’ve seen it in the news, CommonSpirit Health System. They’ve had some outages over there. There have been some articles that said that perhaps information wasn’t flowing as quickly as people might have liked about what was going on. Do you have a certain feeling on maybe not the legal aspects, but the PR aspects of how you would approach an incident – and I know there’s PR to be dealt with, there’s the cyber insurance company, there’s issues there about whether or not the incident is ongoing, not letting too much information out. But also you would think you would want to be as transparent as possible. So what are your thoughts around that?
Leber: You know, you have to really coordinate with the organization. So we have organizational leaders, right? So even in cybersecurity, as important as our job is, as important as the responsibility and liabilities that lay in our lap, you still have to give the data to the organizational leaders, the CEOs, presidents, boards, or whoever. And they really have to determine what their approach is. You know, how often does any business area, not just cybersecurity go, “Hey, this is our recommendation.” And the organization goes, “Well, we have a bigger picture, and we’re not going to go that route.” So, you know, I would say the communication, the PR part, lies in the lap of the organizational leaders. Some folks have different methods. They don’t want the embarrassment. It doesn’t sit well with the board. I mean, there’s numerous reasons. I’m saying it generally. But I think it’s been clearly documented and demonstrated in the cybersecurity industry, and across society, that if you’re transparent and honest with these breaches, that is the best approach.
But then again, the CISO is not the final decision maker on how that’s put out, or how its communicated. I think we should be a coach, mentor, trainer and guide and make recommendations about the transparency and how well it works. But at the end of the day, those business leaders are going to be the ones who decide the PR and communications method.
Guerra: Very good. All right, I have a high-level question here. What are one or two of either the top things you’re working on, or the top trends you’re seeing?
Leber: I’ll go with the trends. Because, again, we talked about the transparency, but we don’t want to give roadmaps to our organization, right? As you’re working on something, you’re maybe talking about a weakness.
But I think a trend across all organizations in healthcare is phishing, vishing, and smishing. Those are funny words, but those are still some of the primary attack vectors we see. Of all the complexity, of all the wow factors that a lot of pen testers are able to find, simply phishing is still real heavy, and then the vishing, the phone calls now and the texting attacks are still extremely prolific.
And that ties back to the other trend, and we’ve heard it said different ways over the last couple of decades. But you know, humans used to say humans are the weakest link. I like to talk now about human factors engineering. Folks have been scamming other folks as long as there’s been folks. It’s the shell games, the three-card Monty. Now we just do it with computers and social engineering. There’s just so much more technology and data and psychology and science behind taking advantage of humans, related back to cybercrime, so that’s human factors engineering. How do we close those gaps? How do we put the safeguards in place in utilizing human factors engineering. A lot of industries have done human factors engineering for more than a couple of decades. The military has done it. Healthcare does it itself in the triage areas, and in the hospitals area, we, as security practitioners, need to learn how to implement it into our industry and help close those holes and gaps. So when attacks happen, somewhere along the Swiss cheese model when all the holes are lining up, that there are safeguards and controls in place that stops those and helps folks not be victims.
Guerra: I’ve spoken to one individual who’s really knowledgeable in this area who says it’s much easier, as you said, to trick somebody than it is to navigate a complex cyber defense posture, so to speak. You need a lot less education to be able to just trick someone. So, very interesting point you’re making. And you talked about how we combat that. Is it really just employee education? Here’s how you’re going to be tricked. Here’s how they’re going to come at you. Here’s the different things they try and do. What are your thoughts beyond that?
Leber: No, I think the employee education is a paramount part of that, but we’ve been doing employee security awareness training for what, 20 years now or more, and we’re still falling victim to it. So it’s a part of it.
I’ve even created my own method around security awareness training called SPAR training. So it’s not just security awareness training, but I call it Security Preparedness and Response Training. You know, and so we do the preparedness part; it’s like here’s what phishing looks like; here’s indicators of compromise. Oh, and here’s what I want you to do in response if you see these things. But we still have people clicking links. So I think it’s just a portion of it. I don’t think it should go away. But I don’t think it’s effective to the point where it’s going to change anything.
The other part of it is I’ll go back to the human factors engineering. So if you’re familiar with that, they call it the Swiss cheese model. So if you line up all the Swiss cheese so that the holes line up, it creates the perfect storm. In the Air Force, they talk about an airplane crashing. Well, the human factors engineering is that engineer that comes in and looks at all those factors, and goes, “Here’s how we can put in safeguards across that perfect alignment of the holes in the Swiss cheese that are like quality assurance checks, guardrails.” How do we put those checks in place, considering human psychology, that will eliminate or vastly reduce the ability to have that plane crash, and we need to mirror that into our cybersecurity industry programs.
Guerra: That’s interesting. I think it was yesterday or the day before, I’m telling you, I almost clicked on a PDF attachment in a strange email. I forget what it said; I forget their angle. But I really came close to clicking and then I’m like, “Whoa, what am I doing?” Maybe like you said, it’s a perfect alignment: your mind’s somewhere else. It’s just got the right keywords to get you convinced enough. And boom, right? And then you can’t believe you did it?
Leber: Yes. Well, you think about the stories out there with organizations that really made the news about their phishing campaigns where they sent the email out about Christmas bonuses at Christmastime. So yes, that’s a great phishing one. But organizations trying to teach and doing that, yes, people are going to click. You know, the economy’s not great right now. And people are trying to figure out how to get gas money to get to work. And if you see something like that, you might be more prone to click right now.
Guerra: I don’t think it made that organization very popular with those employees from what I remember. Not a nice way to trick them.
Leber: Right. And you talk about the transparency and breaches, it doesn’t make you very popular in the cybersecurity industry as well. There’s folks that get angry about that. So yes.
Guerra: All right. Very good. You’ve mentioned that you hadn’t posted on LinkedIn in a while, but you did have some articles up there that I read. And a lot about boards, a lot about CEO-CISO relationships. You talked about what CEOs should be requesting from their CISOs and the direction they should give their CISOs so they can be successful, such as providing your CISO with clear priorities, requesting the data you require to make risk-based decisions, and the level of risks you are willing to accept. I found that a very interesting analysis from that CEO position.
So my question to you is, do you think there can sometimes be a language gap that needs to be bridged? For example, if the CISO has a language that they used to explain risk; certain terms, certain scales, whatever it may be, the CEO may not speak that particular language of risk. How do you make sure that you’ve communicated properly, that the risk posture you are trying to explain or the risk level you’re trying to convey is truly what is absorbed by that decision maker?
Leber: Yes, you know, there’s a few parts to that. So I’ve been in organizations where they’re like, we just want good cybersecurity. I was like, but what are your priorities? Right? And sometimes you won’t get an answer. So most of us in cybersecurity know what right looks like. So you start down that road of, I’m going to build this foundational cybersecurity program and build it with what right looks like and provide you the updates that you want to hear, or you don’t want to hear. The offer’s there. And that’s not an optimal situation to be in.
But when you go back to the CEO, or the board, or the whoever’s in charge that you’re reporting to, it’s got to be about strategic goals, alignment to those goals, alignment to the direction of the organization, and you have to be able to translate that both ways. So you’d have to learn a couple languages. So it’s not necessarily that you want to inform, coach, mentor, train the CEO on the language that you use, but you want to use their language more, and be able to relate that back to your team. So even when you’re talking to your team about their area of expertise, you should still be able to explain how what they’re doing fits the bigger goal. So when you have your incident response team, they should also understand that this also contributes to our strategic goal. And I often do that with my team by writing their charter and then it helps them relate to what we’re doing by explaining the business alignment.
Guerra: Yes, it’s an interesting point. You know, it helps probably, as you’re saying, for a CISO, to have a clear mandate from the CEO, which is maybe more specific than as you said, “Just go do cybersecurity.” So for example, I have heard it said the other day that a CISO given one of these two mandates might approach their job very differently. So for example, if your mandate is patient safety, that’s one mandate and you will operate in a certain way versus data protection. Those would send you on slightly, maybe not completely different, but slightly different paths. Is that correct?
Leber: There’s some truth to this, the focus, right? So you understand what the priority of the organization is when they say patient safety. So when you are talking about your cybersecurity programs, you just need to always relate it back to patient safety, right? So it’s one of the reasons why I liked the NIST cybersecurity framework. An older way to think of it is, what are your crown jewels? And how do you protect those crown jewels? Well, that’s a way we have to stop thinking. You think of the casino in Vegas, where they attack the entire casino through the monitor in the fish tank, right? I guarantee you, and I would bet money on it, I’d go out on a limb and say that the monitor in the fish tank was not a crown jewel, it was never identified as a crown jewel. And maybe never even had a risk assessment on it. It was bought, plugged in, stuck in the fish tank and forgotten about, yet that’s how they hacked in. The target a long time ago was hacking the HVAC system. The HVAC system was probably not identified as a crown jewel.
So we have to build our cybersecurity programs where it’s holistic, protecting everything equally. And then as the priorities of the organization come out, such as, “We want patient safety.” Well, then how do I tie back protecting the thermometer in the fish tank to patient safety and how do I justify it? So you use that to your advantage. So you use patient safety, you know, what’s important to them, and you relate everything back to patient safety. So yes, some organizations, most organizations, are going to go down slightly different paths because of the focus area. But you’ve just got to learn how to be creative and use where they’re focused, relate it back to how you build that holistic program.
Guerra: Very good. One of the biggest areas that CISOs have to focus on is business continuity, planning resiliency, getting the organization back up and running. So that means to me, when we think that through, that means that CISOs need to have more interaction with clinical leaders to understand what their important applications are; the most important applications, to have conversations around. What would you do if we had to take this down if there was a ransomware attack or whatever. And if we had to take this down and I had to give you some notice that we’re shutting this application off, and you had to prepare for going to paper.
There seems to be a bit of a gap in health systems around who manages that, who makes sure the clinicians understand how to go to paper-based procedures and come back, obviously all heavily coordinated with IT and the CISO, who would be saying, “Hey, we’re gonna shut you off in two hours, or we’re gonna shut you off in five minutes.” But somebody has to make sure that those clinicians have worked out those procedures, which would happen after that to go to paper and back. What are your thoughts around that? And is anyone managing that in a health system?
Leber: You know, I think everyone in the health system, all health systems, in general, are aware of the potential to be shut down. As far as the management, I would say, it’s like the proverb of it takes a tribe to raise a child, right? It takes the entire community. I think that’s an organizational leadership-driven initiative, with the responsibilities shared across several leaders, the CIO, the CISO. So you know, we call it the ARC (academic, research and clinical writing). Each one of those areas have leaders and external partners on that. There’s emergency preparedness organizations, and, you know, Connecticut has emergency preparedness. When I was in Kentucky, they had the Kentucky Department of Homeland Security. They have different names, but they all have pretty much the same purpose. And it’s a shared responsibility, because it’s not just necessarily a cybersecurity attack that shuts you down. Up in Connecticut, could be a hurricane. You know, in Kentucky, it could be an earthquake, you know, down here in Tennessee, it can be the Tennessee Volunteers beating Alabama. But its organizational driven.
So the mandate should come from the CEO, or president or whoever’s in charge of the board, and then the responsible leaders for each area. So as a CISO, so you know, I don’t control the IT infrastructure. So if it’s an infrastructure issue that goes down, that’s not a cybersecurity event. But I’m definitely there to help and definitely there to coordinate and collaborate.
Tabletop exercises simulating shutdowns are important, and me being involved in that. But to the point, if you think about the emergency rooms in hospitals, the provider that runs the emergency rooms and the folks that run the triage area, they know that area better than anyone. We know the technology we’ve deployed for them, but they know the processes, they know the flow, they know what they need, the forms. So a lot of that goes back to that business area and going, “Hey, if we get shut down tomorrow, for whatever reason, how do you respond?”
CISOs, because of our acumen about business continuity and disaster recovery, often are looked at to help guide those conversations. But it really should be driven at an organizational level, that’s an organizational problem, not just a cybersecurity problem. If you have a hospital, and you shut down and you can’t take patients in, then you’re not billing, you know, you’re not doing the business that makes our organization’s revenue. That’s way beyond just cybersecurity. That’s an organizational issue, so it has it takes that community to go through and say, “Hey, it’s mandated, hey, here’s how we help. Here’s our part. Here’s what your part is, how do you meet that responsibility?” And that’s where the CISO can help with a lot of that and guide those conversations.
Guerra: Right. If it is a cyber incident where systems have to come down, is it important for CISOs to workshop those, and to get those tabletops done and whatnot, where we’re actually mimicking a cyber incident where systems have to come down. And then I would imagine you may not be making the decisions about what needs to come down, but certainly strong recommendations to perhaps the CIO, or the board or whatnot. And you’re saying, we need to take things offline. You know, users need to be informed. Does that get workshopped where you have more of a position of leadership because it’s cyber?
Leber: Yes, yes, absolutely. I think that’s paramount that you do these workshops. I think those discussions, even if they’re desktop discussions, and a little less than a tabletop discussion, they have to start somewhere, and you should be doing them. And that’s why we talk about playbooks as well. If you have ransomware, it’s also communicated. So the ideal situation is we’ve had these conversations with all the appropriate leaders – I talked about the ARC at UConn – those leaders, we’ve already had those conversations with them. So if we get a call in the middle of the night on ransomware and we start our phone call tree, everyone knows, hey, we also know that means these systems are coming offline. So they know to start their initiatives and actions. Absolutely.
Guerra: Excellent. Alright, Dennis, that’s about all we had time for today, I’d just like to give you an opportunity for a final thought or piece of advice. I’ll frame it up this way, someone in a comparable-sized organization, what’s your best nugget from your experience about how they can be successful in their CISO role?
Leber: Just remember, you don’t do it alone. It’s not in a vacuum or silo. It takes a community. You are going to not be very effective, and you’re going to be very frustrated if you’re trying to go it alone. Build those relationships, understand the business, work with your IT staff partners, your infrastructure partners, your CIO, your CEO, regardless of what the reporting structure is – if you report to them or their peers – they’re still your partners and you have to work together.
Guerra: Excellent. Dennis, thanks so much for your time today. I think people are going to really enjoy this. Thank you.
Leber: Thank you. Glad to be here.