By many measures, Rebecca Wynn is an accomplished cybersecurity leader.
For example, she holds multiple graduate degrees, including an MBA and a doctorate in technology. She’s earned several prominent security certifications such as the CISSP and CCISO designations. While she works in healthcare today, she has worked in cybersecurity across several different vertical markets, including financial services and the federal government.
With all this experience her top concern for security in the healthcare community isn’t a technical problem, but a cognitive problem. The industry is behind where it needs to be and correcting that, and above all else, begins with finding people that can anticipate what threat actors will do next.
Dr. Wynn, who is currently the head of information security and data protection for Matrix Medical Network, is our latest guest for our Q&A series we’ve been running with cybersecurity thought leaders.
1) You’ve got considerable experience in cybersecurity and healthcare. In your opinion, do you think security in healthcare is harder than other vertical markets?
RW: No, I don’t think so. What’s different is the education of the leadership that’s required. I’ve done this in several different sectors, and I find the more immature the sector is, the more education is needed. The business side of healthcare has to be educated about things like why security needs time, budget and resources and why security is a separate discipline distinct from the IT department.
2) There’s some discussion in the industry that the security budget takes a back seat to other priorities. Has that been true in your experience?
RW: I wish I could say no, but absolutely yes.
The best time to join a company as a Chief Information Security Officer (CISO) is after they’ve had a massive scare or a massive breach. That is when you’re going to get the time, resources and budget. But just as important, they are going to listen to your voice. This lasts for about three years and if you have any faux pas or negative events that happen in that time frame, it’s always going to be attributed to things that occurred before you arrived.
Now if you are with a company, or even in a sector, that has not had those huge scares, then the question is always: What’s the return on investment? It’s really hard to show the value of catching insider threats before they happen or as they are happening. How do you measure the ROI of a potential loss to the company?
That’s why it’s important to be able to partner with people who are selling whatever product or service your company is selling. We have to get our costs built into that underlying costs, whether it’s 25 or 50 cents on a widget. In other words, I’m making security part of the deliverable.
Still, that’s hard to sell it to somebody who’s never experienced a breach or had a good scare. The fight becomes, ‘Why do you need more budget this year?’ and ‘We’ve never had the problem before, so why do we have it today?’
That’s true across all sectors – it’s not unique to healthcare.
3) There’s an idea that’s been floated recently suggesting security would have better luck with budgets by striving to align with the culture of healthcare and patient safety, rather than justify the expense with fear over a possible breach. For example, striving to influence healthcare professionals to obsesses over security the way they obsess over handwashing. What do you make of that?
RW: Every sector has this sort of challenge. The thing is, people very seldom make a positive move because someone is threatening us. As human beings, we respond to that with: ‘How dare you!’
So, what do we have to do instead? One of the things that I recommend is meeting with senior leaders and finding a partner who can be your champion on the c-suite level.
It might not be your CIO or your CTO. Maybe it’s going to be your vice president of Product, or the Chief Legal Officer (CLO). You have to seek people out that have initiatives that are close to yours. A company will listen a lot easier if you have two or three people, with similar issues, that you can package these together to get your needs met.
You also have to speak their language and not phrase things in technology terms. When you are dealing with senior people, many of them aren’t technical at all. You really have to be more partner- and relationship-minded.
4) Are there any new or interesting cybersecurity concepts out there that you find especially interesting or exciting?
RW: Sure, there a few that have been around for years that we are now seeing put in practice.
a) AI and machine learning.
AI helps cross-correlate data quickly. For example, we can see what system, service or person (insider threat) who we should be watching.
Let me give an example: You have a person who was involved in an event three months ago. Perhaps they did something unusual on a server and did it again recently. As individual security professionals, we look at those systems from day-to-day from a single point of view, and we will miss those cross-correlations. However, if you use AI and machine learning, it will surface that person’s activities and those events.
There are a lot of new startups that have just started coming into the market over the last three to five years who have been doing this. I encourage companies to take a look at these startups and see what they are doing. It’s not always the big boys that have been out there forever that have the cutting-edge technologies.
I see blockchain coming into healthcare now. I think it’s interesting because it allows you to look at the data behind the data, and the data behind that data.
c) Data encryption.
Data encryption that provides data classification codes embedded within the data could be especially useful for healthcare. We’re able to tag the data upon creation, so you can see wherever it travels on your network and keep security parameters around the data.
For example, in government, if something was classified as secret, the security parameters are carried throughout the life of the data. If it later goes through a review and is declassified, you are able to make that change.
Healthcare is starting to think about doing this – having a way to embed that classification and track its movement a bit more. It’s almost like a GPS for your data.
5) Okay. We’re into the lightning round to close out this interview:
- One security pub you read regularly and recommend is… (RW) I read a lot of different things, so Wired, Bruce Schneier, and the Cyber Security Hub among others.
- If you received 10% more security budget, you’d spend it on… (RW) I would spend it on things I’m already looking at – AI and machine learning.
- If you could attend one security event per year, it would be… (RW) I would attend Evanta Phoenix and the Phoenix Security & Audit Conference, which is produced by the Phoenix Chapter of ISACA I think both of those events provide a big bang for the buck.
- If you weren’t working in cybersecurity, you’d be… (RW) I would probably be doing something with travel and photography groups – having fun by helping people have a great experience while on their vacation.
* * *
You can connect with Rebecca Wynn on LinkedIn where she has more than 25,000 followers. In addition, she has contributed her ideas to a range of publications including these recent pieces:
- Cyber Security Hub: Insiders Are Most Common Threat Actors In Healthcare
- SearchCloudSecurity: Top cloud security risks that keep experts up at night
- Enterprise Security: Digital Forensic Readiness Planning and Readiness Checklist in Order to Reduce Business Risk
Note: Do you know someone that should be interviewed for this Q&A series? Please send an email to media (at) bricata (dot) com and be sure to put “Q&A” in the subject line.
If you enjoyed this post, you might also like:
Leadership, Culture and Business Savvy: 13 Big Cybersecurity Ideas for the CISO by CISOs