1 00:00:00,220 --> 00:00:02,185 - Welcome to the Becker's Healthcare Podcast, made 2 00:00:02,185 --> 00:00:03,865 for the people who power US healthcare. 3 00:00:04,085 --> 00:00:05,385 I'm Molly Gamble, Becker's, 4 00:00:05,385 --> 00:00:07,305 and today I am sitting down with Muk 5 00:00:07,305 --> 00:00:09,505 and Cherry Chief Information Security 6 00:00:09,605 --> 00:00:12,865 and Privacy Officer with University of Illinois Chicago. 7 00:00:13,605 --> 00:00:14,825 Shafai, welcome to the podcast. 8 00:00:15,035 --> 00:00:17,985 Thank you so much for being my guest. How are you today? 9 00:00:18,005 --> 00:00:19,825 And where does the podcast find you? 10 00:00:21,585 --> 00:00:23,415 - Thank you for first of all, having me, 11 00:00:23,515 --> 00:00:25,935 and I'm looking forward to a great conversation. 12 00:00:26,835 --> 00:00:30,975 And right now I am here in the suburbs of Chicago 13 00:00:31,195 --> 00:00:33,135 and with some snow, so, uh, 14 00:00:33,135 --> 00:00:34,615 looking forward to Spring . 15 00:00:35,015 --> 00:00:36,015 - Likewise. Yeah. 16 00:00:36,015 --> 00:00:39,255 For listeners, we're enduring our second winter here in 17 00:00:39,255 --> 00:00:40,815 Chicago after a full spring, 18 00:00:41,035 --> 00:00:43,535 so Sha will hope the next spring sticks. 19 00:00:43,795 --> 00:00:46,575 Um, but for for listeners who want to be more familiar 20 00:00:46,685 --> 00:00:48,335 with University of Illinois, Chicago, 21 00:00:48,635 --> 00:00:51,495 can you share a few key facts about the organization 22 00:00:51,595 --> 00:00:53,135 and then also your role within it 23 00:00:53,435 --> 00:00:54,935 as Chief Information Security 24 00:00:55,515 --> 00:00:57,095 and privacy Officer, just 25 00:00:57,095 --> 00:00:58,735 to help us better acquaint ourselves? 26 00:01:00,465 --> 00:01:03,245 - Oh, absolutely. So, you know, the University of Illinois, 27 00:01:03,245 --> 00:01:07,085 Chicago is part of a larger, uh, system, 28 00:01:07,385 --> 00:01:08,765 higher education system. 29 00:01:08,905 --> 00:01:10,885 So it's the University of Illinois system, 30 00:01:10,945 --> 00:01:12,925 and then there's three campuses. 31 00:01:13,025 --> 00:01:17,365 So I represent the, uh, Chicago campus, uh, 32 00:01:17,385 --> 00:01:18,845 so University of Illinois, Chicago, 33 00:01:19,545 --> 00:01:23,645 and it is located right in the city of Chicago, one 34 00:01:23,645 --> 00:01:28,165 of the largest, uh, universities within the state as well. 35 00:01:28,665 --> 00:01:33,325 And it has about 34,000 students, about 20 plus, 36 00:01:33,745 --> 00:01:35,485 uh, thousand employees. 37 00:01:35,905 --> 00:01:39,965 And, you know, we are made up of 16 colleges where, 38 00:01:40,465 --> 00:01:44,005 you know, we have healthcare components such as the College 39 00:01:44,005 --> 00:01:46,245 of Medicine, college of Dentistry, 40 00:01:46,245 --> 00:01:48,405 and College of Pharmacy as well. 41 00:01:48,705 --> 00:01:52,005 And so we have a mixed bag of, you know, when folks think 42 00:01:52,005 --> 00:01:55,725 of University of Illinois, uh, Chicago, you know, we do, 43 00:01:56,065 --> 00:01:57,245 uh, a lot of research. 44 00:01:57,295 --> 00:02:01,205 We're an R one, um, research entity as well, 45 00:02:01,295 --> 00:02:04,365 which means we do a very high volume 46 00:02:04,625 --> 00:02:07,365 of research about over half a billion dollars 47 00:02:07,365 --> 00:02:08,405 worth of research revenue. 48 00:02:09,145 --> 00:02:13,605 And we do have a hospital UI health, uh, 49 00:02:13,605 --> 00:02:14,765 which is the hospital system 50 00:02:14,875 --> 00:02:16,525 that is here in the Chicago campus. 51 00:02:17,105 --> 00:02:20,085 And so we work very closely, uh, with our partners there. 52 00:02:20,825 --> 00:02:23,725 And, you know, we have about close to, you know, 53 00:02:23,725 --> 00:02:25,485 80 plus bachelor degrees. 54 00:02:25,905 --> 00:02:30,285 We have over a hundred master degrees, over 60, uh, plus 55 00:02:31,045 --> 00:02:34,245 doctoral degrees all through our 16 colleges. 56 00:02:34,425 --> 00:02:38,245 And, you know, we do now also have the John Marshall Law 57 00:02:38,245 --> 00:02:40,805 School, and it's been renamed to, uh, you know, 58 00:02:40,805 --> 00:02:44,525 the UIC law school, uh, and recently. 59 00:02:44,665 --> 00:02:48,565 And so, you know, we honor all sorts of students 60 00:02:48,865 --> 00:02:50,845 and employees and, you know, 61 00:02:50,845 --> 00:02:54,245 we work very hard on our diversity, equity, 62 00:02:54,265 --> 00:02:55,885 and inclusion efforts as well. 63 00:02:56,105 --> 00:02:58,485 So, um, you know, it's a great place to be. 64 00:02:58,705 --> 00:03:00,725 And, and, you know, I welcome any questions. 65 00:03:01,235 --> 00:03:03,405 - Yeah, well, I, that's good 66 00:03:03,405 --> 00:03:06,605 because I have many Ali about your, your role, . 67 00:03:06,605 --> 00:03:08,005 I mean, what an interesting time 68 00:03:08,585 --> 00:03:10,725 to be talking about information security, 69 00:03:10,895 --> 00:03:12,565 especially in the realm of healthcare, 70 00:03:13,145 --> 00:03:15,245 and you're also at the university level. 71 00:03:15,905 --> 00:03:19,365 Um, do you feel as though our social consciousness 72 00:03:19,425 --> 00:03:23,685 or our national attention at a high level 30,000 feet, 73 00:03:23,705 --> 00:03:26,405 do you feel like we are paying attention to 74 00:03:26,405 --> 00:03:28,525 and talking about the right things when it comes 75 00:03:28,525 --> 00:03:29,565 to cybersecurity? 76 00:03:29,945 --> 00:03:30,945 Let me start there. 77 00:03:32,405 --> 00:03:35,295 - Yeah. So I think it just depends on the context 78 00:03:35,435 --> 00:03:38,695 of cybersecurity that folks are paying attention to. 79 00:03:38,835 --> 00:03:40,575 You know, almost every day, 80 00:03:40,825 --> 00:03:43,575 every other hour we hear about some organization 81 00:03:43,605 --> 00:03:47,295 that has been compromised or is reporting a breach, right? 82 00:03:47,435 --> 00:03:51,575 And so it's kind of become part of our day-to-day life. 83 00:03:52,275 --> 00:03:55,055 Um, you know, because we are more technology savvy, 84 00:03:55,315 --> 00:03:57,975 we have a lot of innovation going on, you know, 85 00:03:58,035 --> 00:04:00,535 put artificial intelligence in the middle of all that. 86 00:04:00,915 --> 00:04:02,415 Uh, we have a lot of controversy. 87 00:04:02,715 --> 00:04:06,655 We have, you know, federal regulations that come down, um, 88 00:04:07,075 --> 00:04:10,135 and more so from, uh, the, uh, 89 00:04:10,325 --> 00:04:12,535 federal level than we ever have before. 90 00:04:12,715 --> 00:04:16,135 And that really tells us our cybersecurity landscape is 91 00:04:16,455 --> 00:04:21,135 changing, and it's becoming more of a business focus 92 00:04:21,315 --> 00:04:23,895 for many organizations, uh, more so than 93 00:04:23,895 --> 00:04:24,975 before, I would say, 94 00:04:25,165 --> 00:04:28,655 because it is more about how do we safeguard revenues? 95 00:04:28,675 --> 00:04:29,815 How do we prevent harm? 96 00:04:30,435 --> 00:04:34,135 How do we, you know, prevent, uh, data leakage, uh, 97 00:04:34,155 --> 00:04:39,135 and how do we keep our organizations, you know, continuing 98 00:04:39,135 --> 00:04:42,575 to provide the services that adhere to our mission, right? 99 00:04:42,835 --> 00:04:45,935 And, and doing it without having some type 100 00:04:45,935 --> 00:04:48,615 of cybersecurity attack or, or breach of information. 101 00:04:49,075 --> 00:04:51,655 And it gets harder and harder to do that as much 102 00:04:51,655 --> 00:04:54,415 as we talk about technological advances, uh, 103 00:04:54,415 --> 00:04:55,415 for cybersecurity. 104 00:04:56,235 --> 00:05:00,495 The malicious attackers are probably two steps ahead 105 00:05:00,555 --> 00:05:03,815 of everybody else that's trying to find funding 106 00:05:04,155 --> 00:05:07,135 to really do cybersecurity practice 107 00:05:07,275 --> 00:05:08,775 and put in protocols 108 00:05:09,275 --> 00:05:12,095 to do what's needed for an organization. 109 00:05:12,095 --> 00:05:13,615 Sometimes funding is an issue. 110 00:05:14,355 --> 00:05:15,375 - Mm-Hmm, . Mm-Hmm. 111 00:05:15,415 --> 00:05:17,535 , let me ask you there too. 112 00:05:17,575 --> 00:05:19,775 I mean, when we talk about these malicious attackers, 113 00:05:19,975 --> 00:05:22,975 I remember at, at Becker's, we first reported on, 114 00:05:23,355 --> 00:05:26,015 at at least the first hospital ransomware incident. 115 00:05:26,135 --> 00:05:27,935 I, I was aware of 2016. 116 00:05:28,155 --> 00:05:30,895 It was a really small hospital in rural Kentucky. 117 00:05:31,635 --> 00:05:33,895 And since then, over those past several years, 118 00:05:34,025 --> 00:05:37,335 we've seen the nature of these malicious, 119 00:05:37,685 --> 00:05:39,095 it's the right word for it, 120 00:05:39,095 --> 00:05:41,855 because these attacks, sometimes there's just damage 121 00:05:41,875 --> 00:05:44,855 or inflicted, and it's not even tied to the goal 122 00:05:44,955 --> 00:05:46,935 of obtaining a ransom payment. 123 00:05:47,165 --> 00:05:50,495 It's just seemingly to wreak havoc, um, 124 00:05:50,835 --> 00:05:54,055 in invade patient's privacy, employee's privacy. 125 00:05:54,845 --> 00:05:57,055 What, what have you seen about the nature of some 126 00:05:57,125 --> 00:06:01,005 of these attackers, uh, when these, uh, 127 00:06:01,075 --> 00:06:03,885 attacks were orchestrated in the past near decade? 128 00:06:04,105 --> 00:06:05,845 Any, any thoughts or observations there? 129 00:06:08,005 --> 00:06:09,815 - Yeah, you know, there's, there's a lot there 130 00:06:09,955 --> 00:06:11,295 that's happening lately. 131 00:06:11,635 --> 00:06:15,015 And, you know, some folks may think of it as ransomware, 132 00:06:15,035 --> 00:06:16,455 as a service, right? 133 00:06:16,955 --> 00:06:18,655 Um, you know, there are ethical hackers 134 00:06:18,675 --> 00:06:20,415 and then there are non-ethical hackers, 135 00:06:20,435 --> 00:06:23,095 and that are really in it for a business. 136 00:06:23,235 --> 00:06:26,215 You know, there's a lot of money to be made, uh, 137 00:06:26,245 --> 00:06:29,775 unfortunately from the demise of organizations. 138 00:06:29,995 --> 00:06:34,895 And what is that demise is based on, um, you know, harm 139 00:06:35,195 --> 00:06:36,815 or whether it's based on making money 140 00:06:37,315 --> 00:06:40,695 or if it's to, you know, damage an organization's brand. 141 00:06:41,075 --> 00:06:45,055 Um, there's just a multitude of reasons as to why, you know, 142 00:06:45,155 --> 00:06:48,615 we see ransomware more prevalent than we ever have. 143 00:06:48,955 --> 00:06:50,855 And, you know, every year I look at different sources 144 00:06:51,195 --> 00:06:53,695 and I continue to see from one year to the next 145 00:06:53,695 --> 00:06:56,135 that we continue to say, we'll see more, 146 00:06:56,145 --> 00:06:57,415 we'll see more, we'll see more. 147 00:06:57,995 --> 00:07:01,375 We don't see, oh, we've seen a decrease in, you know, 148 00:07:02,005 --> 00:07:04,655 compromises or cyber attacks or breaches. 149 00:07:04,675 --> 00:07:05,855 We just continue to see it 150 00:07:06,135 --> 00:07:07,295 escalate from one year to the next. 151 00:07:07,315 --> 00:07:08,655 And I think the evolution 152 00:07:08,655 --> 00:07:12,975 that we are seeing here is it's ransomware right now, 153 00:07:13,715 --> 00:07:15,895 but what about it turning into something called 154 00:07:16,085 --> 00:07:17,255 kill ware, right? 155 00:07:17,385 --> 00:07:21,135 Where, um, you know, it's an evolution of hacking where, 156 00:07:21,915 --> 00:07:24,335 you know, there might be competition between hacking groups. 157 00:07:24,515 --> 00:07:26,575 Uh, you know, we know so many ransomware groups 158 00:07:26,575 --> 00:07:27,895 that are out there that want credit. 159 00:07:28,405 --> 00:07:29,495 Some don't take credit, 160 00:07:29,715 --> 00:07:31,415 but there's different purposes as 161 00:07:31,415 --> 00:07:32,655 to why they all do what they do. 162 00:07:33,075 --> 00:07:37,415 So I believe that there is a reason that's critical enough 163 00:07:37,675 --> 00:07:40,655 to warrant it as a business, right? 164 00:07:40,875 --> 00:07:44,055 And, and so now for folks that are not in the business 165 00:07:44,055 --> 00:07:46,455 of ransomware as a service, um, majority of us 166 00:07:46,455 --> 00:07:49,015 that are looking to protect our environments 167 00:07:49,095 --> 00:07:52,015 and our organizations is that, you know, we try 168 00:07:52,015 --> 00:07:54,335 to get better educated on these ransomware groups, 169 00:07:54,555 --> 00:07:57,695 but at the same time, I think, you know, we're just 170 00:07:57,695 --> 00:08:00,255 as vulnerable to understand why they're doing it. 171 00:08:00,795 --> 00:08:03,455 And, you know, trying to put in security measures, 172 00:08:03,815 --> 00:08:08,735 security controls, policies, practices, uh, you name it, uh, 173 00:08:08,735 --> 00:08:10,135 trying to make sure that, you know, 174 00:08:10,915 --> 00:08:12,935 we don't all fall victim, right? 175 00:08:13,395 --> 00:08:14,655 - Mm-Hmm, . Mm-Hmm, 176 00:08:15,275 --> 00:08:18,135 and sha that, that ransomware as a service, you know, it's, 177 00:08:18,335 --> 00:08:19,375 I, I've seen that term 178 00:08:19,515 --> 00:08:22,015 and I, I guess I haven't been as curious about that, 179 00:08:22,075 --> 00:08:25,375 but that is, is that a, basically a, a ransomware vendor 180 00:08:25,625 --> 00:08:29,015 where if you were interested in carrying on an attack, 181 00:08:29,035 --> 00:08:31,495 you would hire this group to execute it and, 182 00:08:31,515 --> 00:08:32,655 and perform it for you. 183 00:08:35,545 --> 00:08:37,565 - You know, there's all sorts of models 184 00:08:37,995 --> 00:08:40,525 that could be out there as ransomware as a service. 185 00:08:41,105 --> 00:08:45,245 And I do believe that it just depends on, um, you know, 186 00:08:45,245 --> 00:08:49,165 where you have these ransomware developers that could lease 187 00:08:49,185 --> 00:08:52,805 or sell, uh, some of their ransomware code to other hackers. 188 00:08:53,385 --> 00:08:55,245 Um, you know, there are different types 189 00:08:55,245 --> 00:08:59,325 of ransomware customization tools, um, malicious programs, 190 00:08:59,665 --> 00:09:03,405 um, infrastructure control panels, uh, technical support 191 00:09:03,585 --> 00:09:05,525 and instructions that can I kind of go 192 00:09:05,525 --> 00:09:07,005 with these types of services. 193 00:09:07,225 --> 00:09:10,005 So, you know, when I think of that, I'm thinking, okay, 194 00:09:10,005 --> 00:09:13,285 these developers are creating this code, 195 00:09:13,705 --> 00:09:15,685 and, you know, if they get in, then 196 00:09:15,835 --> 00:09:17,325 what else can they exploit? 197 00:09:17,335 --> 00:09:20,085 Right? Mm-Hmm, what more can I get now that I'm in there? 198 00:09:20,505 --> 00:09:22,765 You know, where am I going to make the biggest bang 199 00:09:23,225 --> 00:09:25,965 to understand how this organization works? 200 00:09:26,315 --> 00:09:27,485 What are its vulnerabilities? 201 00:09:27,905 --> 00:09:30,085 And then what's the impact of what I'm about to do 202 00:09:30,085 --> 00:09:32,365 as a hacker to that organization? 203 00:09:32,945 --> 00:09:36,445 And sometimes, you know, it's, it's a business model, right? 204 00:09:36,625 --> 00:09:40,085 So, um, you know, there are different kits you can buy, 205 00:09:40,345 --> 00:09:41,405 you know, on the dark web 206 00:09:41,405 --> 00:09:45,005 and anywhere else that, you know, if you wanted to look at 207 00:09:45,745 --> 00:09:49,565 how do I, you know, hack into X organization depends on, 208 00:09:49,565 --> 00:09:51,965 you know, what type of kit, ransomware kit you buy 209 00:09:51,965 --> 00:09:53,125 and what it can do for you, and 210 00:09:53,125 --> 00:09:54,645 how much you're willing to pay for it, right? 211 00:09:54,865 --> 00:09:56,525 So it is a business. 212 00:09:58,515 --> 00:09:59,615 - And al, if we can't, 213 00:09:59,615 --> 00:10:01,495 and let's move in closer to your role, 214 00:10:01,855 --> 00:10:03,415 specifically C-I-S-P-O. 215 00:10:04,075 --> 00:10:07,215 I'm curious if there are any common misconceptions you run 216 00:10:07,245 --> 00:10:09,375 into about your role and your work, 217 00:10:09,915 --> 00:10:11,295 and if so, what those are, 218 00:10:11,755 --> 00:10:14,415 and if you can clarify them for us, if you don't mind. 219 00:10:16,565 --> 00:10:18,085 - Absolutely. So when folks think 220 00:10:18,085 --> 00:10:20,245 of a chief information security officer, 221 00:10:20,505 --> 00:10:23,645 or even a Chief privacy officer, uh, 222 00:10:23,665 --> 00:10:25,565 or a combination of a chief information security 223 00:10:25,625 --> 00:10:28,565 and privacy officer, there's different, you know, flavors of 224 00:10:28,835 --> 00:10:30,565 what the roles are these days. 225 00:10:30,625 --> 00:10:33,005 And sometimes there's a blurring line between privacy 226 00:10:33,185 --> 00:10:35,005 and security, uh, roles. 227 00:10:35,385 --> 00:10:37,805 And so, you know, I wear both hats, you know, 228 00:10:37,805 --> 00:10:41,405 and I like to think of the privacy role as to the, you know, 229 00:10:41,505 --> 00:10:44,725 the why of what's happening with that information. 230 00:10:44,865 --> 00:10:49,365 And then security is how I protect that information, right? 231 00:10:49,865 --> 00:10:51,325 And so looking at the why 232 00:10:51,325 --> 00:10:54,525 and the how, then the, the what, when, where, why 233 00:10:54,915 --> 00:10:56,845 that all comes into play, right? 234 00:10:57,025 --> 00:11:01,085 And so in my role, I look at things very differently 235 00:11:01,085 --> 00:11:03,085 because of the university environment. 236 00:11:03,585 --> 00:11:05,445 You know, I have academics with the students, 237 00:11:05,805 --> 00:11:09,525 I have research, and then, you know, looking at the hospital 238 00:11:09,525 --> 00:11:12,605 and the UI health system partnership that we have, uh, 239 00:11:12,605 --> 00:11:15,285 you know, what the impact there is from the university side 240 00:11:15,305 --> 00:11:16,725 to the hospital side, 241 00:11:16,795 --> 00:11:19,605 because we do have within the university, you know, 242 00:11:19,605 --> 00:11:23,165 healthcare covered components that are part of the, 243 00:11:23,425 --> 00:11:25,685 you know, college of Medicine, college of Dentistry, 244 00:11:25,835 --> 00:11:26,965 college of Pharmacy. 245 00:11:27,265 --> 00:11:29,085 So we have medical clinics, dental clinics, 246 00:11:29,105 --> 00:11:30,165 and then the pharmacy. 247 00:11:30,665 --> 00:11:34,565 So, you know, the role that I play is, is a critical role, 248 00:11:34,625 --> 00:11:37,365 but there's an evolution happening about what a CISO is 249 00:11:37,385 --> 00:11:38,445 as a, as an example. 250 00:11:39,105 --> 00:11:41,085 Um, you know, I think the misconception there is 251 00:11:42,265 --> 00:11:44,885 you are solely responsible for security. 252 00:11:44,985 --> 00:11:48,325 As a ciso the concept really is, 253 00:11:48,585 --> 00:11:53,005 and this is what I try to advocate, is I am trying to sell 254 00:11:54,525 --> 00:11:57,245 security to the organization 255 00:11:57,245 --> 00:11:59,525 because it's a concern for everyone, 256 00:12:00,075 --> 00:12:02,045 whether you are an employee 257 00:12:02,465 --> 00:12:05,765 or a business partner, you know, third party, fourth party, 258 00:12:06,315 --> 00:12:07,645 it's everyone's concern 259 00:12:07,645 --> 00:12:08,685 because there's an impact 260 00:12:08,685 --> 00:12:11,445 to everyone if something goes wrong, uh, 261 00:12:11,585 --> 00:12:13,845 or something is leaked out, right? 262 00:12:14,025 --> 00:12:17,925 And so it's not just for me as a employee 263 00:12:18,065 --> 00:12:22,045 of an organization, but if I'm also a user of 264 00:12:22,515 --> 00:12:24,005 that organization's data 265 00:12:24,145 --> 00:12:28,525 or resources, then, you know, as a user, it's important also 266 00:12:28,525 --> 00:12:31,605 that I understand, you know, what the role of a CISO is. 267 00:12:32,065 --> 00:12:34,165 Uh, a lot of times CISOs get kind 268 00:12:34,165 --> 00:12:37,685 of pigeonholed into it's your issue, you handle it, 269 00:12:37,785 --> 00:12:39,685 you know, you're the person that's responsible. 270 00:12:39,825 --> 00:12:41,285 But I do feel 271 00:12:41,285 --> 00:12:44,885 that I can only be responsible if I've been given the proper 272 00:12:45,055 --> 00:12:49,085 tools and the funding to support what I need 273 00:12:49,165 --> 00:12:50,285 to do to get the job done. 274 00:12:51,105 --> 00:12:54,525 Now, you know, along with that comes support from leadership 275 00:12:54,865 --> 00:12:57,045 and the board sometimes, depending on 276 00:12:57,045 --> 00:13:00,285 how an organization is, is structured from the top down. 277 00:13:00,745 --> 00:13:03,845 Um, some CISOs will report to a board, some CISOs will not. 278 00:13:04,025 --> 00:13:06,165 It just depends. Um, and, 279 00:13:07,265 --> 00:13:09,565 and when you say a ciso, you know, we all come 280 00:13:09,565 --> 00:13:12,525 with varied background in experience, skillset, 281 00:13:13,125 --> 00:13:16,565 certifications, and our own personal abilities. 282 00:13:17,325 --> 00:13:18,765 I think that is a key there. 283 00:13:18,765 --> 00:13:21,165 And so, um, you know, I do see a lot 284 00:13:21,165 --> 00:13:22,805 of CISO positions open right now, 285 00:13:23,265 --> 00:13:27,605 and I think that, um, there is a really big focus nationally 286 00:13:27,605 --> 00:13:31,325 and internationally to be frank, of the attention 287 00:13:31,325 --> 00:13:33,125 that cybersecurity is getting now, 288 00:13:33,125 --> 00:13:36,405 because people do recognize there's a lot of money to lose 289 00:13:36,405 --> 00:13:37,605 and a lot of money to be made, 290 00:13:37,625 --> 00:13:40,165 and a lot of money to be safeguarded. Mm-Hmm. 291 00:13:40,205 --> 00:13:41,805 - , I think 292 00:13:41,805 --> 00:13:43,565 that's such an important distinction. 293 00:13:43,565 --> 00:13:46,365 Like you said, not it, it's not a matter 294 00:13:46,365 --> 00:13:49,165 of being solely responsible for security at the organization 295 00:13:49,785 --> 00:13:51,085 and risk mitigation, 296 00:13:51,225 --> 00:13:54,485 but being a, a cultural leader in many ways, 297 00:13:54,745 --> 00:13:58,885 and a, a, a real champion of security being baked into 298 00:13:59,025 --> 00:14:01,885 and factored into decisions made at a very high level, 299 00:14:02,065 --> 00:14:03,925 the board and executive team level. 300 00:14:04,585 --> 00:14:06,205 And, you know, Shefa, I'd be curious too. 301 00:14:06,205 --> 00:14:08,165 You know, the other thing I was gonna ask you about 302 00:14:08,265 --> 00:14:09,485 is the CSO role. 303 00:14:09,645 --> 00:14:12,205 I feel like so often those efforts can go under sung, 304 00:14:12,585 --> 00:14:15,685 and it's not until something goes wrong or breach occurs 305 00:14:15,785 --> 00:14:17,525 or some sort of cyber attack, 306 00:14:17,905 --> 00:14:19,925 and then ultimately the CISO is held up 307 00:14:19,925 --> 00:14:23,485 to greater visibility at times or held accountable. 308 00:14:23,945 --> 00:14:27,805 Um, I'm curious if you felt that way as though from day 309 00:14:27,805 --> 00:14:30,805 to day, if things are going well, security is intact, 310 00:14:30,835 --> 00:14:34,765 privacy is being honored, um, this is a role that if 311 00:14:35,435 --> 00:14:37,445 careful can diminished. 312 00:14:39,035 --> 00:14:42,045 - Yeah, you know, it, it is an interesting perspective of 313 00:14:42,045 --> 00:14:44,405 what a CISO is and what they're responsible for. 314 00:14:44,505 --> 00:14:46,925 And I think everyone, you know, 315 00:14:46,995 --> 00:14:49,845 they're in a CISO position is, you know, dependent on 316 00:14:49,845 --> 00:14:52,565 what the expectations of that organization are of them. 317 00:14:53,105 --> 00:14:55,965 Uh, and so, you know, for myself personally speaking, 318 00:14:56,505 --> 00:14:58,925 you know, I've been in CSO roles where, you know, 319 00:14:59,155 --> 00:15:02,885 I've taken them only based on a question I will ask 320 00:15:02,885 --> 00:15:04,725 leadership saying, you know, will you be there 321 00:15:05,065 --> 00:15:07,885 to support me when any decisions need to be made? 322 00:15:07,905 --> 00:15:09,845 And if there's some hard decisions, you know, 323 00:15:09,845 --> 00:15:11,845 that we both would need to be in sync. 324 00:15:12,265 --> 00:15:16,205 Um, and so if I have the support of my leadership, um, then, 325 00:15:16,225 --> 00:15:18,165 you know, those are the positions that I have taken. 326 00:15:18,745 --> 00:15:22,005 Um, and likewise, you know, if you're a CISO 327 00:15:22,005 --> 00:15:23,965 that's in a position where you're not really getting 328 00:15:24,545 --> 00:15:27,205 any support from your leadership, then you know, 329 00:15:27,205 --> 00:15:30,165 there's different tactics to take to report out on metrics, 330 00:15:30,425 --> 00:15:34,605 to think through, you know, an innovative way to explain, 331 00:15:35,225 --> 00:15:38,405 uh, how you might be able to get more funding or, 332 00:15:38,545 --> 00:15:41,925 or, uh, understand what kind of resources you need to get 333 00:15:41,925 --> 00:15:44,085 to a better maturity for cybersecurity. 334 00:15:44,765 --> 00:15:49,045 I think the, the other misconception for CISOs is that, um, 335 00:15:49,105 --> 00:15:51,565 you know, some CISOs feel like they're alone. 336 00:15:51,565 --> 00:15:53,965 They're the only technical person that, you know, 337 00:15:53,965 --> 00:15:55,005 everybody relies on. 338 00:15:55,425 --> 00:15:58,565 And I think the key here is, you know, being an advocate 339 00:15:58,585 --> 00:16:02,005 for security and getting out there within the organization 340 00:16:02,005 --> 00:16:05,805 and making relationships with folks, um, building 341 00:16:05,835 --> 00:16:08,565 that relationship and trust is very important 342 00:16:08,565 --> 00:16:10,245 to being successful as a ciso. 343 00:16:10,805 --> 00:16:12,565 I think the other piece here is, 344 00:16:12,565 --> 00:16:16,685 besides gaining trust, is really reaching out to 345 00:16:17,545 --> 00:16:20,165 the leadership and the unofficial leaders. 346 00:16:20,485 --> 00:16:21,885 I can't tell you how many people I have met 347 00:16:21,885 --> 00:16:25,005 that I have run a policy across, just 348 00:16:25,205 --> 00:16:29,245 'cause I know that they will have influence over an, uh, 349 00:16:29,305 --> 00:16:32,005 you know, an official leader, uh, per se. 350 00:16:32,465 --> 00:16:35,645 Um, but I think this is the nuance of the job, right? 351 00:16:35,675 --> 00:16:37,685 That we are held responsible for many things 352 00:16:37,685 --> 00:16:39,845 that could be out of our own control. 353 00:16:40,345 --> 00:16:44,885 And so when I think of what type of control do I need, well, 354 00:16:44,885 --> 00:16:47,285 it starts with the leadership from the top down, right? 355 00:16:47,285 --> 00:16:49,645 Because all the technical tools are in place. 356 00:16:49,995 --> 00:16:52,645 I've got, you know, people in place to do the things. 357 00:16:52,745 --> 00:16:56,965 But you know, if we do know, uh, various things are at risk, 358 00:16:57,075 --> 00:17:01,365 then my risk-based approach with evidence is an approach 359 00:17:01,365 --> 00:17:02,685 that I'll, I would wanna take 360 00:17:02,745 --> 00:17:05,205 and make sure that, you know, I 361 00:17:06,315 --> 00:17:09,405 provide a general update at the highest level, 362 00:17:09,625 --> 00:17:12,045 but then if I need to get technical enough 363 00:17:12,045 --> 00:17:14,525 that I can provide that documentation at 364 00:17:14,525 --> 00:17:15,645 the technical levels, right? 365 00:17:15,705 --> 00:17:18,365 So you, as a ciso, you have to be flexible in order 366 00:17:18,365 --> 00:17:21,805 to understand that gauge where, you know, you have 367 00:17:21,805 --> 00:17:24,685 to be high level and where you have to be, you know, 368 00:17:25,035 --> 00:17:26,765 deep down into the, the weeds. 369 00:17:28,725 --> 00:17:30,255 - Well, Chappelle, this has been such a 370 00:17:30,815 --> 00:17:32,015 interesting and dynamic conversation. 371 00:17:32,015 --> 00:17:34,055 I've learned a lot from you in our time together today. 372 00:17:34,075 --> 00:17:35,695 Is there anything I wasn't able to ask you 373 00:17:35,715 --> 00:17:37,735 or that you wanna make sure our listeners hear 374 00:17:37,735 --> 00:17:38,935 from you as we wind down? 375 00:17:41,245 --> 00:17:44,445 - Yeah, I think the thing that we all know as CISOs is that, 376 00:17:44,445 --> 00:17:46,325 you know, security is everyone's concerned, 377 00:17:46,385 --> 00:17:49,285 but I would just say that, you know, you have to lead 378 00:17:49,315 --> 00:17:53,125 with your head, your heart, and your hands. 379 00:17:54,025 --> 00:17:56,725 And you know, the way it works is, you know, leading 380 00:17:56,725 --> 00:18:00,525 with your head is, you know, we all all come with knowledge. 381 00:18:00,785 --> 00:18:03,485 And in order to be able to share that knowledge, you know, 382 00:18:03,485 --> 00:18:05,565 look at your heart and say, okay, who do I need to get 383 00:18:05,625 --> 00:18:08,045 to know to make my job easier? 384 00:18:08,265 --> 00:18:10,445 And to make sure that the organization is securely, 385 00:18:10,825 --> 00:18:11,925 you know, safeguarded. 386 00:18:11,985 --> 00:18:13,685 And then with the hands is where, you know, 387 00:18:13,685 --> 00:18:14,685 you start working through your 388 00:18:15,005 --> 00:18:16,285 policies, building relationships. 389 00:18:16,785 --> 00:18:18,885 And so look at your head, your heart, and your hands 390 00:18:18,985 --> 00:18:20,045 and see what you can do. 391 00:18:20,725 --> 00:18:21,725 Anything is possible. 392 00:18:23,595 --> 00:18:26,125 - Paul Muhar, chief Information Security 393 00:18:26,225 --> 00:18:28,885 and Privacy Officer with University of Illinois, Chicago, 394 00:18:28,935 --> 00:18:30,645 thank you so much for being my guest today. 395 00:18:31,125 --> 00:18:33,285 I hope we can catch up with you again soon. 396 00:18:33,855 --> 00:18:34,285 - Thank you.