Here at Cisco, we like to celebrate people in cybersecurity industry who are leading the fight against bad actors as well as those creating a secure culture for organizations and the people within them. This month, we interviewed Esmond Kane, CISO of Steward Health Care. Read on to learn about his journey and how he leads his team:
What were you doing when you got your first taste of cybersecurity?
First of all, while I am honoured and deeply thankful for the recognition, I believe strongly that Security is a team effort and I must acknowledge the superb InfoSec team in Steward but also the Steward workforce. I thank you all for keeping our patients safe and secure!
My story is the same as millions of emigrants to the US. I like to say this generation of emigrants didn’t so much build railroads, we built information superhighways but with the same radical economic impact.
I grew up as a computer obsessed misfit in sportsmad rural Ireland. My hometown, Ballina, is not just President Bidens ancestral home, its also known for the incredible Jackie Clarke Museum, an amazing Salmon festival and more. The teachers in the local high school, St Muredachs, did their best to cover the emerging field of Computer Science, and I cannot thank them enough for being my introduction to everything cyber.
College in Belfast and Dublin was a bath of fire. I remember discovering Phrack, 2600, the Cult of the Dead Cow, reading the code for the Morris worm. In the 90’s, Cybersecurity didn’t exist as a formal discipline or curriculum, we were just kids red-teaming the college systems for pranks and bragging rights, it never occurred to us that there was a career in this.
I learned the discipline, the practice of cybersecurity when I emigrated to the US in the 90’s. I learned on the job, fighting malware outbreaks, working my way up from the Helpdesk at the same time the whole planet was embracing the internet to radically transform business. We all absorbed and helped codify the core tenets the only place you could at the time, in the workplace.
Eventually, I was presented with an opportunity to focus on security around a decade ago and I jumped right in. The economic impact of cybercrime had finally reached the breaking point that it needed dedicated practitioners and as the go-to for cybersecurity everywhere I had worked, it was a natural evolution.
What are the things that really drive you on a personal level?
Wherever I work, I am driven by the mission and I have to value the end goal. I advise anyone getting started in Cybersecurity to find somewhere they can work with “smart people solving big problems.” I have that. I find it incredibly inspiring to work with Steward IT and Infosec, our clinicians, the doctors and nurses giving everything they can to help our patients, especially through COVID. Steward’s commitment and dedication to patient care, and the communities we work in, is worthy of praise and my loyalty.
Walt Whitman (or more recently Ted Lasso) said, we must be curious not judgemental. This is a career that rewards a commitment to learning, the need to start and restart. I often think of my father, who emigrated to the US when he was 60, I am not sure I can be that brave but I know that at any time, I may have to confront decades of accepted wisdom, to realize we have to try again one more time. I try to keep an open mind and to hire people who commit to the wonder, the fun in answering hard questions without getting territorial and tribal.
I enjoy doing the impossible. Getting security moving, executing on a strategy, its harder than it appears and unfortunately far too many security programs exist as a Powerpoint fantasy, the Feynman fallacy of “I told you so” buried on slide 25. I find similar with compliance, when done properly, compliance is a natural outcome of good security, but if you find yourself just checking boxes, it may be time to find somewhere else to work. That said, unless you are in an information security business, I advise people to play the best second fiddle (or left shark) that you can, its imperative to empower the business.
What has been the impact of the pandemic?
It’s not over yet. Please continue to follow the CDC guidance, especially if you have not been vaccinated fully. It’s too early to relax and let this get worse just as it looks to be getting better. Its often not how well you prepared but how you react during an adverse event that defines your safety, in a pandemic and in cybersecurity.
In future years, Healthcare will be measured in pre and post pandemic terms. The impact was significant, some industry reports are that digital adoption accelerated by as much as 7 years. Telehealth and remote working were under immense strain, the same time we were managing increased pressure on ICUs, allocating PPE, ventilators and respirators, accounting for staffing rotations. Security solutions had to be pragmatic to scale to the exponential increase in demand for IT and cloud, to adopt new solutions. I give kudos to OCR, the HIPAA regulator, who acknowledged the necessity by allowing for an “enforcement discretion” through the pandemic.
Cyber attacks during the pandemic escalated by as much as 600%. I now understand what Seamus Heaney called the “truth and risk” that surround us, the human procilivity for self-destruction was never more stark than when we faced weaponized disinformation and merciless ransomware attacks when millions were dying. Across Healthcare, infosec had to help IT rapidly improve endpoint hygiene, VPN posture assessment, handle all the COVID-related Phishing, increase and mitigate cloud exposure, and more. It will continue, Healthcare will have some risk to unravel after the pandemic, to allow the business of patientcare to continue to grow securely.
Do you ever find it difficult to divorce yourself from the frustration of how cyber criminals are targeting the healthcare industry?
The worst of humanity is trying to profit from the misery of the pandemic. Criminals have demonstrated that even the well prepared are ripe targets for exploitation. We need to change from a prevention mentality to one of resilience. We will never eliminate risk, the question is how do you manage it sufficiently so that you can take on even more? My thinking is that Healthcare security must roll up its sleeves to ensure Healthcare benefits from the digital disruption, the new cloud and IT solutions necessary to meet the pandemic.
Too often, security teams only see the broken processes, the criminals exploiting user and system vulnerabilities. Obviously you need to be communicating and executing the strategy on what to do if you have an adverse event but Security also faced a growth challenge through the pandemic. While I worry about the fatigue and burnout our security teams face, I embrace the challenge to change how we secure. If all your security team does is identify threats and not help to mitigate, if you’re the person who shows up and just says “no,” you’re never seen as the person who says “go”. The new normal is an increased digital element of patient care, an increased expectation of remote work, what did you do that you can continue to build upon?
How does your role as a security leader change depending on what type of organization you’re in?
You have to understand the culture and the business. You need to know how your company solves problems. Know what appeals to your board. You also need to inderstand what you bring to the table. Based on a decade working in academia and over a decade in healthcare, I recommend to keep your grab-bag stocked with whatever hat is necessary to wear at any time, to be authentic and build trust.
I believe in continual recruiting. You must always develop your skills, and you should always know what kind of candidates are having success in the market. Hopefully you get to hire those folks but maybe they end up hiring you. Soft skills like collaboration and communication, curiosity, passion and stamina are evergreen in all industries but also inherently hard to acquire, different industries of different sizes may need more or less technical exposure but that’s typically something you can train or bootcamp. I find that overly rigid mindsets do not survive for long in Healthcare.
Clinicians understand all the safety protocols of surgery, the checklists involved with prescription medicines and more. Speak in terms that appeal to those business leaders. Avoid unnecessary jargon and especially the dizzying array of TLAs (three letter acronyms), PPT (people, process and technology), PDR (protect, detect, respond) and CIA (confidentiality, integrity and availability, OMG!
Are you someone who likes to set goals for yourself, and if so, is how do you work towards a desired outcome?
“You can’t manage what you don’t measure” applies to your security program and your personal development. Start with crude metrics, traffic lights, Tee shirt sizes. Try to build meaning from what is to hand, to answer the impossible question “Are we secure”? Set both strategic and tactical goals, measure demand, impact on risk, progress and spend. Theres lots of abundant resources like CIS self-assessment, ISACs and more, to broker peer conversations. For instance, maybe I want to improve our cloud security adoption. Now I need to be able to act at the speed of cloud. I need to be able to mitigate risk in near-real time. That means that I need to think about things like Cloud Access Security Brokers (CASB), single sign-on, and orchestration. But where does that fit in your budget lifecycle, your ERP, the organisations IaaS strategy?
What I do with my teams is to try and spend 20% percent of my time being strategic, the same on communication and outreach, and the rest of my time is spent dealing with operational delivery and technical issues, the tactical. I find it best to hire the right calibre of people and just get out of their way. To help them, build an analytics capability to measure risk and compliance, to develop metrics to indicate how well you’re doing and what you need to do better. Do your best so that ops build efficient workflows, preferably automated, to combat pile-up and to separate signal from noise for your threat hunters. I find the cloud magnifies any poor (typically legacy) process, architects and reference design can help here, not just with today’s problems but also tomorrows, at least when they’re not overloaded.
Speaking of tomorrow’s problems and issues, how is privacy figuring into your plans over the next few months?
Privacy is something that all industries need to be a lot better at, especially Big Tech with its continued reports of shocking privacy abuses. Healthcare has had decades of honoring privacy and there appears to be growing appetite for more legislation at the State and Federal level. Even without new legislation, with the maturation in Electronic Health Record systems and as advocated in H.R. 7898, the HIPAA “Safe Harbor” bill, theres an organic opportunity to align privacy and security programs with industry best practices and frameworks.
The pandemic demonstrates that good patient care no longer ends at the patient bedside, its in the home and much more convenient for our patients. Its about predicting issues before they become acute enough to present at the ER. The journey to a “smart hospital” and personalised medicine involves risk, it may involve adopting cloud, consumer tech and industry collaborations, around machine learning, augmented or artificial intelligence. I encourage some caution, the bad guys are also adopting these tools and they are attacking your supply chain. I believe strongly that well aligned security and privacy programs can empower that conversation around privacy and security risk, about innovation and growing the business.
One of the things I look at when I engage with an organization is how closely the security team collaborates with their colleagues in privacy and compliance, as well as what the relationship is with the general counsel, contracting and procurement. You need to know if you are asking the right questions to the right people. The answer to most big questions in security is not “42”, its more likely “it depends, can I work with you to learn more, who have you worked with so far”?
How do you look for and recruit great team members within your organization?
I’m a big believer in continual recruiting and in having a diverse candidate base to dip into when the need arises. I try to get out and talk to as many people as I can, especially people in other industries. universities, upskilling programs and more. Everyone is a potential candidate. Its not just external, its also internal. I have found ripe recruits in the helpdesk, account management, desktop engineering and networking teams. Dan Geer likes to talk about the concept of “Hybrid Vigor”, about how a diverse background, a meandering path though the University of Life, can lead to success in cybersecurity. I could not agree more, the industry is evolving and you never know what skills may be necessary or who has those skills.
If you can, hire, but if you can’t, develop. Look everywhere for those people who are asking interesting questions and who are following up with you on interesting problems. You may need “rock stars”, people who can look at a screen full of gibberish and tell you what the problem is but they may have unreasonable demands, the stereotypical bowl full of brown candy. Theres tremendous value in what I call Watsons, the folks who put in the effort and learn, with the potential to become Sherlock.
Don’t forget about retention, your job doesn’t end with hiring. Hopefully you are creating an environment for your staff to be creative and to develop, to be promote and rewarded, to stay. If they do leave, congratulations, you just sent another ambassador out for your program. Stay in contact and you will be surprised what a small world it is.
At some unknown future date, you may need the best healthcare you can get to help overcome some of the biggest health challenge you we will ever face. Improving security in healthcare is in everyones best interest, mentoring the team bringing those improvements just makes sense. Some might call it smart.
To listen to more from our CISO of the month, Esmond Kane, you can listen to his story on our Security Stories Podcast here:
Check out Esmond’s Journey of a CISO video: https://www.cisco.com/c/en/us/products/security/ciso-conversations.html
Esmond Kane is Cisco’s CISO of the month. Each month, we’ll be talking to different CISOs as part of our Cisco Security Executive Connection. To learn more about the program, click here. https://www.cisco.com/c/en/us/products/security/ciso-connection.html
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels