Published January 2023 –
CISOs often live in fear of a breach or audit, but Hugo Lai, CISO at Temple Health, says it’s not something to worry about. As long as you have a good plan and can explain the steps you’ve taken to protect the organization, the chips will fall where they may. And never consider it to be on your shoulders alone, as you have all your colleagues at the organization for support. In this interview with healthsystemCIO Founder and Editor-in-Chief Anthony Guerra, Lai also talks about finding the right balance for information security governance – it begins with establishing a good working relationship with everyone in the organization; then recognizing that all risks cannot be mitigated. Your job as a CISO is to be prepared to provide suggestions for security improvements, not just identify problems. “They hire a CISO for a reason,” he says. Then, let the business decide what to prioritize.
LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE.
… as much as you have a very defined information security roadmap, you also want to identify areas that are potentially a quick win. And when an opportunity arises, those will be the occasions that perhaps it makes sense to execute or do those initiatives. Because if you don’t do it now, then there will be no better timing to do it.
One thing that I truly believe in information security is that you need to tie IT to business and apply context into information security.
If I have to worry about the next attack all the time, it’s not going to make me very effective in my role. So I always think about this – there are so many choices that we have, or so many decisions that we have to make, as long as we are making a conscious decision, whatever that may be, we know we can always back that up.
Guerra: Hugo, thanks for joining me.
Lai: Good morning, Anthony.
Guerra: Hugo, to start out, why don’t you tell me a little bit about your organization and your role there?
Lai: Sure. So I work for Temple Health. It is four hospital systems based in Philadelphia in Pennsylvania. And I am the chief information security officer here.
Guerra: Very good. Thank you. Can you tell me how you wound up as a CISO at a health system, your career and how you wound up getting into technology and then security and then healthcare – in whatever order that happened?
Lai: Certainly, so I started off my security career as a security consultant for many years. Actually, let’s step a little bit back. I studied information security when I was in college, and basically, after I graduated, I got recruited to support a government client working in security consulting. And I continued with that for many years. And I supported many government clients, including NIH and some of the civilian healthcare agencies, if you will. That’s how I got myself into the healthcare industry. And then after that, I started working in the industry, leading a cybersecurity practice for small organizations. And then here I am, with Temple Health.
Guerra: What would you say it is about security that you find most interesting? You know, there’s the CIO route, and then there’s the CISO route. So why did you prefer to go into security as opposed to general technology CIO-type stuff?
Lai: Well, security has always been my interest. I think it has a little bit to do with the experience of when I used to work and study near the Capitol. There was September 11th, and I still remember that day, walking on the street. I was actually doing some part time work very near the Capitol. And the event happened. The immediate thing that came to my mind is if that can happen in the physical world, it can also happen in the cybersecurity space. So, what struck me really hard, was like, “Okay, this is going to be the next big thing that’s going to be happening.” So I focused on information security, and I believe that this is a field that needs a lot of help, for sure.
Guerra: Very interesting. What would you say are a couple of the trends that you’re looking at, and trying to stay on top of, or positioning your organization to be ready for?
Lai: Identity access management is certainly one. And a lot of my colleagues obviously think that this is going to be the next perimeter, if you will. And I strongly agree with that. There are identities in everything, like in humans, in assets, in devices, everything has an identity associated with it. So if you can protect identity well, that certainly helps to reduce the attack surface for the organization. Nowadays, many attacks don’t really need to have a sophisticated attack, right? If you have leaked credentials, that’s the easiest way to get into an organization. So if you can protect it well, you’re a step ahead.
Guerra: So for identity and access management, from what I understand, it’s where you want to move, but it’s not that easy, especially when you get to the granular level. Can you tell me your thoughts about the challenges of really implementing that program?
Lai: Yes, yes. For identity access management, there are many touch points. And you really need to have the buy-in from the organization in order to do it well. Access is always the first thing that someone would request when they join the organization. And if they don’t get the appropriate access, then you got screamed at, basically. So you have to do it well. So I think, from the beginning, you want to make sure that the organization understands this is going to be a process that they have to go through. And access touches so many departments – from HR, to IT, to clinical. And you need to make sure that all the stakeholders are involved, understand their roles, and then you have to guide them step-by-step into the process. You cannot do everything at once. So you need to have good planning.
Guerra: Right, so, I mean, by definition, you are managing access, and anytime you’re managing access, you perhaps are, unfortunately, requiring an extra step that takes a few extra seconds. And when you do that, you’re going to bother somebody who hasn’t remembered their password, who was just annoyed, in general, with having to take a few extra seconds. So you have to deal with the angry phone calls, on occasion. You’re balancing usability with security, which is a main part of your job is, right? Managing usability with security. But this is an area where I suppose that even though you have to do something, you don’t want to create a big barrier to usability. But there has to be a slight speed bump, is that the best way to think about it?
Lai: That is correct. Yes. There will be pain points along the way. But if you can help all the stakeholders to understand what they are, I think in the long run, everyone will benefit from that.
Guerra: All right, let’s talk a little bit about compliance. I think you’ve done quite a bit of work in the compliance area. How would you describe the state of compliance today in terms of what CISOs need to do?
Lai: I think compliance is a must, if you will, in the cybersecurity space. You always want to have checks and balances. So as CISO, I try to work very closely with the compliance officer. I’m trying to understand what their concerns are and help to address the issues proactively. I often see compliance as a partner. And we all try to achieve the same thing. And I think through the audit process, it also helps the organization to understand their processes – particularly in information security a little bit more as well, understanding the weaknesses. Sometimes when you are too into your day-to-day operations, there are things that you don’t see, and compliance comes in to help you understand what perhaps you may be missing in that process.
Guerra: And I know the titles, there are a lot of titles around there that include privacy, obviously, security, there’s legal folks. So in terms of who you have to work with to do your job effectively, it sounds like almost everybody in the C-suite, and maybe more. But tell me your thoughts on the key individuals that you need to have very good relationships with to be successful.
Lai: I think as a C-level executive, you want to have a good working relationship with everyone within the organization. But the ones that I interact with the most include the compliance officer, your general counsel’s office, and then HR, for sure.
Guerra: And the CIO, obviously?
Lai: Of course, yes. The CIO, the CTO; yes, absolutely.
Guerra: Did you report to the CIO?
Lai: I do.
Guerra: That seems to be the most common setup out there. I think there are a few variations on that in terms of where CISOs are reporting. Do you have any thoughts on what you think works, or can anything work, depending on the individuals involved?
Lai: I think each of the models will work. It really depends on the maturity level of the organization. So sometimes, information security needs to work together with IT. You cannot really exceed the pace of IT. So, for example, if you have a lot of infrastructure that needs to be upgraded, the CISO needs to work together with the CIO to partner with him or with her to get that done together. You cannot on the first day jump in and say, “Okay, let’s refresh everything.” Because that’s not possible. So I think it depends on the organization’s maturity level from an IT perspective. In some ways, it works to have the CISO report to the CIO. But I’ve also seen other organizations where you have the CIOs report directly to the CFO, or some other C-level execs.
Guerra: Very good. Let’s talk about audits. We talked about compliance. I believe you’ve been through audits, and things like that. Do you have any advice to your colleagues? That can be one of the most unpleasant letters that you can get; the notification that you’re going to be audited. It usually doesn’t present a very good feeling. You know what’s coming, because audits can last months, years; they can go on forever. They can be very intrusive. But what’s your advice for a CISO who just finds out they’re about to be audited?
Lai: I think preparation is key. You cannot really jump into an audit without preparation. So, on a day-to-day basis, you really need to make sure that you have audit documentation available and have a robust process. When the audit comes in, I think it’s just a matter of validating whether you are actually doing what you’re supposed to be doing. So there shouldn’t be anything surprising, per se, in an audit. Obviously, understanding the regulations, that will help. But I think there are times that you want to really have a conversation with the auditor to truly understand what they are trying to achieve in that audit or what that objective is. And you might want to have an angle, because cybersecurity is not something that is easily understandable for individuals outside of cybersecurity. You really need to help them understand why it is important that you’re doing what you are doing. And at the same time, help them to understand how you are achieving or meeting their objectives in doing what you do.
Guerra: Right. You know, cyber insurance is a huge issue. And I think when you apply for cyber insurance these days, it sounds like, essentially, you’re being audited. Although it may be all self-reporting. Right? You are giving them all the information. I don’t think they’re coming in and checking everything. Although, if you attest to anything that you are not doing, and there’s an issue, they’re not going to pay. I’ve read an article about that recently, where the insurance company said that their customer promised to use multifactor authentication and there was a breach. It turns out the customer weren’t using multifactor authentication, so the insurance company denied the claim. So how would you describe the cyber insurance process today? And maybe anything you found that works in terms of either attaining it, or in dealing with that process?
Lai: From a cyber insurance standpoint, I think the best way is, don’t think of it as an insurance policy. I think that’s more like the last resort, right? So I don’t think about it too much, to be honest with you. Yes, essentially, when it comes to applying for insurance, there’s a slew of questions that you have to answer. But that should be the security controls that a CISO or the information security program should be addressing in the first place. So, again, there shouldn’t be anything surprising in there. I think as long as you have good strategic planning in your information security program, the cyber insurance company is also willing to help you out.
Guerra: It sounds like a lot of what you’re saying is, if you’re doing your job the right way, then you don’t really have to sit around and stress about what to do if you get audited or about getting cyber insurance. You really don’t have that much to worry about. Is that your approach to the job?
Lai: Yes. And obviously, you cannot do everything at once. So what’s important behind this is that you need to have a clear rationale as to why you are doing what you’re doing now, and why you are doing other security controls perhaps half a year down the road or a year down the road. You are helping the organization to manage information security risks. It is impossible to eliminate or to remediate risks, but as long as you help the organization to understand what these risks are and have a game plan for it, then I think everyone is on the same page. And it doesn’t matter whether you get audited or not. You have all colleagues in the C-suite to support you.
Guerra: That’s a really great point. You can’t do everything at once. A lot of things need to be done. So it makes me think of IT governance, which, in general, is a huge, very important issue or process in health systems, right? There’s a certain amount of money needed and there’s a certain amount of time required, and a million things are requested. So how do we decide what to do? That’s IT governance. You’re talking about the same thing for IT security. There has to be a governance process that says, “We’re going to stratify our risks. Here are the things we need to do. Here’s the risk level we’re assigning to each. What are we going to do first?” Now, can you talk about your defined process for deciding that with committees? And then as you said, down the road, if you have an auditor come in, or there’s an issue, you can rationally explain, “Here’s our roadmap. It’s stratified by risk and importance. Here’s why we haven’t done the seventh thing on the list. It’s coming.” So you can at least explain that to any interested party. But can you give me your thoughts or process around IT security governance for making those decisions?
Lai: Yes, I think this is where it’s important to have good communication with your peers, right? Within the organization, you need to help them understand what your priorities are, and at the same time, you need to also understand what their priorities are. And you need to find that right balance. I think with information security governance, you can have a formal process around it. But at the same time, just a day-to-day communication, your interactions with your peers, sometimes that defines the process already. Like you are trying to get an understanding of what’s important and try to align the initiatives together. And, essentially, that’s what you need to do. Then in addition to that, there will also be times that you need to be a little bit flexible, as well.
So as much as you have a very defined information security roadmap, you also want to identify areas that are potentially a quick win. And when an opportunity arises, those will be the occasions that perhaps it makes sense to execute or do those initiatives. Because if you don’t do it now, then there will be no better timing to do it.
A good example would be if an organization experienced a breach, all of a sudden you have all the attention to really formulate the information security program to what you want to do, so you don’t want to put that to waste. Obviously, I’m not saying that you should wait for an incident to happen – there will be other opportunities. Perhaps, for example, like taking on a cloud initiative. So you want to do your homework upfront, knowing what’s coming and be prepared to tackle those initiatives with the rest of your colleagues. Do those together. So have an information security roadmap defined, but at the same time, try to think ahead, and I think those will be key or at least, from my perspective, how to build a good information security plan, but be flexible.
Guerra: Do you have a particular framework that you work towards? A lot of people like NIST. There are certain benefits for doing some of these. 405d, which has some information out there, if you can show that you’ve worked towards these particular frameworks, you don’t have a safe harbor, but you get the benefit of the doubt from the government. I mean, these are formal things.
Lai: Yes, I think the NIST cybersecurity framework is definitely the de facto standard, if you will, for many organizations. It has been vetted by the government. It is very comprehensive. It’s easily adoptable, you know, to many industries and organizations. So, in my mind, that’s the framework that I would use.
Guerra: Okay. When we talk about communicating risk, do you have any thoughts around that? Because you don’t want to be making the decision, per se. From what I understand, you want to communicate to the business leaders – maybe it’s the CEO, or the CFO, or even the CIO – you want to communicate the levels of risk in any situation. And they’ll decide about how much risk they want to accept in any particular area. Is that correct? And what’s your advice for making sure that you are communicating as you wish, because you’re sometimes translating IT security speak to business speak, right? Because you have to make sure the individual you’re speaking to understand what you’re saying. So what are your thoughts around that?
Lai: Yes, so I think as a CISO, you certainly have to take up that responsibility to make sure that you’re communicating the cyber risks to the business leaders. Maybe a better way to approach this is to come in with an angle. Provide them with some options to pick from. They hire a CISO for a reason. So you have to be prepared when being asked for recommendations. You need to know what you’re doing, right? You need to know, understand, what the business is lacking. So, not really dumping the problem on them as a way of how you want to manage it, but rather, you want to give several options so they can pick the right one in order to manage the risk appropriately.
Guerra: That’s a great point – give them options. Let’s talk a little bit about today’s workforce. In a number of your recommendations that I read on your LinkedIn profile, people who worked for you said you made them feel their input was valued and utilized. You’re gathering opinions, make them feel valued and included. It mentioned your kindness and willingness to support your team. So certainly, you sound like somebody pleasant to work for. I would imagine that’s part of what you believe is necessary in order to create a good, well-functioning team. There are a lot of workforce issues out there. People have a lot of choice, especially in cyber. They don’t even need to stay in healthcare, right? They could go into any industry. I mean, those skills are very transferable. So you have to bring more than a paycheck to the table, especially at a health system where you can’t perhaps pay Silicon Valley salaries. So what’s your approach to creating an environment that specifically cybersecurity folks want to work in and can feel fulfilled working in?
Lai: Right, so certainly, nowadays, there are many challenges in recruiting the right talent into cybersecurity. My approach to this is to obviously empower your team to do what is important, but I also think that it’s equally important to help your team understand the challenges that the CISO is facing on a regular basis so that they can align with your thoughts. I also think that it’s important to let your team be aware of the other different issues out there and be transparent with them. So the more that you can do that, I think the easier it will be for the team to form that camaraderie, if you will, together—so that we’re all achieving the same goals and objectives. Healthcare is very challenging. I think, in my mind, if you really want to form a good team, you need to make sure that your team understands the objective of the organization, that they believe in that mission. There are many, many options out there for a good cybersecurity engineer or analyst. But if you make them believe in the mission of the organization, and they believe in your strategy in building the information security program, I think that helps, not only just to retain them, but on a day-to-day basis, you’re building a more effective team.
Guerra: So a couple of things there. Number one, it sounded like what you’re saying is don’t sugarcoat it, in terms of your team. Tell them not only what you’re facing as a group, but you personally as a CISO. “So guys, here’s what I have to manage and deal with. Here’s what we all have to deal with.” Is that what you’re saying?
Lai: Correct. I think the more that you can share with the team, you’re also helping to groom them. You’re grooming them to become the next CISO, or the next leaders in the industry. So I think the team will appreciate that.
Guerra: Yes. When you say tied to the mission in healthcare, everybody should be tied to the patient care aspect of what they do. Obviously, as you get into IT and IT security, you get a bit more removed. But I think what you’re saying is you want them to feel tied to actual patient care. And how do you go about doing that? Some people say, “Well, I have my IT team round, you know, we actually round so we could see how people use the technologies that we protect.” Do you have thoughts? Do you want them to remember that what they do affects patient care?
Lai: Absolutely, absolutely. Yes. So obviously, for the ones that we hire, they understand, believe in it, but you also have to help remind them why we’re doing what we’re doing. And sometimes, just show them around. One thing that I truly believe in information security is that you need to tie IT to business and apply context into information security. There’s no one interpretation of a security control in the audit. In the audit language, there are always many different angles to it. So how you approach it, you know, it’s important, and you have to show your team how you are approaching information security, or how you’re applying the information security principles within the organization. So show them around the different technologies that the health system is using, and make sure that they understand why we are doing it the way that we choose to do it. I think that’s important, and also allow them to see some of the challenges that the clinicians are facing out there. And I think by doing that, you are building a relationship and also helping the team to understand how they should tackle some of the problems in information security on a day-to-day basis.
Guerra: All right. Well, we are almost at a time. And just as a final question, I want to ask you about CISO burnout. Burnout’s tough. Burnout’s all over healthcare. And I would imagine in security, it’s right there, and especially at the CISO position. So what are your thoughts on managing work life balance, avoiding burnout, and if you don’t mind me asking, what is your number one thing to do when you want to relax? What’s your go to? Do you have a hobby or a go to that helps you step away?
Lai: Right. I don’t have a hobby per se. But I do practice martial arts, and I think it helps. And I practice martial arts together with my daughter so that’s my thing to do when I get off work. I think that really helps to manage my stress level. If I have to worry about the next attack all the time, it’s not going to make me very effective in my role.So I always think about this – there are so many choices that we have, or so many decisions that we have to make, as long as we are making a conscious decision, whatever that may be, we know we can always back that up. Right? And when a breach happens, you really need to rely on your team or your colleagues. So as long as you have that relationship with your peers, then I think at the end of the day, well, that’s just something that you have to get done together. But at least you can rely on someone, from a psychological perspective. You know that you’re not alone, as much as you are the CISO within the organization. But you know that your team is right behind you and tackling the same problem.
Guerra: Awesome, Hugo. Wonderful, wonderful talk. I think our readers are really going to enjoy it. So I want to thank you very much for your time today.
Lai: Thank you very much, Anthony.