According to Forbes, 90% of the entire world’s data was created in just the past two years. While you’re wrapping your mind around that statistic, ponder this.
How can organizations manage all of that data?
In reality, it’s nearly impossible to go through an organization’s lifecycle without experiencing some form of incident or data loss. This is especially true within the healthcare space.
But before thinking about all of the different ways to protect your data, it all starts with the risk management process.
We had the opportunity to interview Paul Hugenberg III, Founder and CEO of InfoGPS Networks, about the importance of risk management, the qualities of a good CISO, and when to outsource to a vCISO.
Interviewer
Matt Moneypenny
Marketing and Sales Analyst
Matt: Hi Paul, before we get started I want to give a quick introduction.
Paul Hugenberg is the Founder, President & CEO of InfoGPS Networks, a SaaS-based cybersecurity, compliance, and risk management organization that provides a single, powerful solution whose goal is to protect information on networks.
Paul holds a CPA from the State of Ohio and has over 30 years of cybersecurity and compliance experience. He was a former Interim CIO for First Place Bank, Consumers Bancorp Inc., and Consumers National Bank. He’s served as a Senior Manager for Information Risk Management Services and Crowe, LLC. He’s also a former IT Audit Director for Sky Financial Group.
He originally operated a cybersecurity consulting firm that started in the mid-90s. His firm is now a part of The Cyber6Group to which he’s the founding principal.
Paul, great to have you today. Your quiet the entrepreneur.
Paul: Yeah, I appreciate that! Thanks for having me.
Matt: Paul, you originally received your Bachelor’s in accounting and finance. With that degree, you spent some time as an auditor right out of college and then quickly transitioned toward more cybersecurity-centric roles.
Let’s talk about your origins in cybersecurity, obviously by your professional background you’re an expert in the industry. But, like anything, it didn’t start that way.
How’d you get into cybersecurity? What are your recommendations for someone just starting in the industry?
Paul: That’s a great question. I think with most things in life there’s a lot of luck or “being in the right place at the right time” to use an old phrase. When I graduated from college I had the desire to be an accountant and earn my career as a CPA. But for some reason, I don’t remember why now, I wanted to start it all off as a bank auditor and learn that trade. That was around 1990, which is when cybersecurity came into its own with the Gramm Leach Bliley Act. That act was specifically focused on banks. So here I’ve gone into the banking industry and I’m now subject and exposed to this new regulation.
My personality has always driven towards where I think there’s an open need for something to get done and there’s nobody to do it. A lot of people have a similar story but I was the one that was setting up computers, helping people print, and running wires through the wall. I thought it was something productive to do. But when anything new with IT came around they’d asked me if I’d like to try it and I would. So it matched with my desire to help out in open spaces.
My personality also likes to interject into important conversations and see the results of my efforts. This gave me the ability to do that.
For folks that are getting into the market today, I’d encourage them to spend as much time as they can understand all of the tech. Once they’ve understood it, spend twice as much time figuring out why your clients need it. That’s where there are some serious gaps.
You can learn all of the stuff for the technology, it’s available and out there on the internet. But learn what makes the business tick, what’s involved with that and why it exists. Knowing those will help you in your career.
Matt: Right, and that’s kind of that caveat. You can pretty much learn whatever you want on Youtube. There’s tons of content out there but knowing how to reach your clients is an entirely different aspect.
Paul: Yeah, I agree. If you look at cybersecurity professionals who are escalating up the corporate ladder the most, that’s what they’re good at. It used to be, and there’s still a lot of people in these positions, that these employees always came out of tech. These people are very smart, they know the in’s and out’s of the computer.
But as information security has become so much more important in organizations, IT positions are talking less about technology and more about business strategy. I think it behooves people that they have both aspects in their pocket so they can use the two toolsets when different problems arise.
Matt: When we say the “cybersecurity industry”, it’s more of a blanket term as there are thousands of different avenues one could take. They could go into firewalls, antivirus and antimalware, data loss prevention, unified threat management, and so on.
As your cybersecurity expertise grew over the years, what did you find most organizations struggle with? Are different industries better at certain aspects than others?
Paul: I’ll answer the last question first. I think if you look at financial services, they’re probably the leaders today in knowing what it means to have a cybersecurity program and implement it well. But we have to give credence to the fact that they also get audited several times a year by multiple entities. So they know their biggest problems, how to budget and spend, they’ve done risk assessments and other exercises.
I think when you get out of finance you start to see organizations that are still on the cybersecurity learning curve. When we start talking about cybersecurity we aren’t necessarily talking about firewalls, antivirus, or stuff like that. Those are details.
We’re talking about risk. Risk is a business word, not an IT word. So you start to see folks that struggle with answering cybersecurity, putting the right things in place, or understanding their duties. These folks look at cybersecurity as a checklist, they aren’t looking at it from the standpoint of, “What am I trying to protect?
When I sit down and talk to somebody for the first time. My question isn’t, “What’s in your tech stack?” I ask questions like…
What keeps you up at night?
What are you concerned about in your business?
What puts you out of business tomorrow?
Matt: There are so many details involved with cybersecurity. A risk assessment is a kind of checklist for folks, right?
Paul: It is and you can certainly walk people through that. But if you come at it from the perspective that you need to have a firewall or passwords. That’s fantastic and many of those are common sense. But a password doesn’t tell you why you’re here or what you’re trying to protect. It also doesn’t tell you what happens if someone breaks through that password and they take something from inside your entity. Ask evaluation questions on a higher level. They have to be strategic and business-oriented.
You and I have some experience in the medical field with healthcare compliance. So we have a pre-written idea of what it is we find important. But what if you went to a Managed Security Provider that’s providing services to folks. What’s important to them, maybe, is a client list that they’ve cultivated over twenty years. If that gets taken, they’re in trouble. You’d never know that if you just walk-in and pull up a regulation.
That’s why I ask specific questions. Only then can you supply that checklist and look at everything in a more direct fashion.
Matt: The tool your firm owns and provides to its clients obviously accomplishes various aspects surrounding both compliance and cybersecurity. One of the most common topics surrounding cybersecurity we hear a lot about here at Etactics and within healthcare is risk management.
How important is risk management within healthcare? If you’re approaching a small healthcare practice how do you emphasize the need for it?
Paul: To any industry, not even healthcare, risk management is the most important thing. It drives every decision within your business. Forget IT. What are the risks of…
Hiring a new employee
Rolling out a new product
Spending X dollars at a conference
You have to make choices all of the time and each of them is a risk-benefit decision. When you get into spaces where cybersecurity comes into play, you have to remember that the reason you spend every dollar is to reduce the risk associated with the information kept on machines. IT exists only to communicate. Maybe the communication happens…
Later this evening
Right now
In-person
Through a scheduled task on devices
Those different communication avenues help us move data from one place to another. At times that data becomes legally relevant, such as patient data. The only way that you know…
How much money you need to spend over a certain area
Where you’re at your weakest
Employ those dollars in the most beneficial fashion
Is through a risk assessment. It’s critical.
Now augment that. Say we walk into a doctor’s office, bank, or someplace processing credit cards. We already know that there’s a compliance driver. Part of a risk assessment is finding out if you’re compliant. In this case, we know they’re going to need a firewall, multi-factor authentication, and strong passwords. We know this because of the regulations and we’ll identify that risk when we do the work.
Matt: What are some of the consequences healthcare companies may face if they don’t have a proper risk management process in place?
Paul: Some of it can be tangible such as governing bodies that have created a standard for risk assessments. If you happen to be on the bad side of an incident that loses patient data, that is a legally reportable event. There are fines behind that occurrence because you failed to take reasonable practices.
What’s nice is that reasonable practices are usually outlined in the regulation and then your risk assessment will help to make sure that you’re doing what you have to. But failure to comply can become quite an extensive routine just from a regulatory standpoint.
The business side is two-fold. First, you have a trust relationship that you’re building with your customers. Losing that trust results in less revenue. There are direct reasons why you’d do it as a business. Breaching any kind of trust you’ve built with your client is going to result in problems.
Second, you want your organization to operate. I like to come into the office every morning and get information from the people I do business with. When you let cybersecurity go to the wayside you’ll end up with things such as a ransomware attack. These make it impossible to use your systems.
The risks on the business side relate to trust, availability, compliance, and protecting sensitive information.
Matt: Ransomware attacks are so common these days. Especially within the hospital space. Hackers target smaller, more rural healthcare companies because they realize how valuable time is to them. There are lives on the line and a doctor wouldn’t be able to administer proper treatment because of an attack.
Paul: That’s an interesting comment. One of the things GLBA and HIPAA did for us in the 90s is provide a legal value to an identity. So Paul Hugenberg is a social security number, address, medical history record, etc. If someone wants to come in and take that information to use it nefariously, there’s a value that’s lost.
The growth of Internet-of-Things (IoT) and how devices communicate makes breaks in IT physically harmful.
If medical equipment that exists on an operating table fall victim to a ransomware attack, the first thing that happens is no one’s getting surgery for the day. The worst thing that could happen is someone’s having surgery at the moment of the attack.
Another scary idea is that a hacker hits the brakes on a car from hundreds of miles away because they disrupted its IoT connection.
You could look at those two scenarios as, “boy, it’s a great time to be in cybersecurity.” There are some definitive risks that we’ve always said existed but people didn’t know about them. But now physical threats like hurting people exists and is a real risk.
Matt: One of the biggest and most daunting steps in risk management happens in the beginning when an organization needs to identify risks through an assessment.
What elements make up a good risk assessment? How challenging is this step?
Paul: What I suggest to a lot of folks creating or revisiting their risk assessments is that you don’t need to make it up.
If you’re going to bake a cake you don’t need to figure out the recipes. With a little bit of due diligence, you can figure out the ingredients that need to be in it. You’ll practice it and eventually make a really good cake.
The National Institute of Standards and Technology (NIST) has a lot of extremely valuable information for risk assessments. Their information makes it easier for professionals to walk clients through a series of deliberate steps so they know what they’re doing, they’re active throughout the process, and it’s consistent. It’s real.
I always direct people to NIST 800-30. It outlines how risk assessments flow. Specifically, the appendices give different examples of the steps and answers within a risk assessment.
To answer your question directly, to get a risk assessment done the right way we have to understand the business of our client and their threats. The first question to ask yourself is, “What are the threats to my business?” That’s an open question that you can answer immediately.
We then separate each answer into types of threats. Each type of threat is already listed within NIST 800-30, which makes it such a helpful resource to fill in the gaps.
Next, we’ll try to understand the likelihood of a threat occurring and its impact. For example, the likelihood of a plane crash is low but its impact is high. Crashing your car has a higher likelihood than a plane crash but its impact is much less.
We’ll fill in these two categories and use an algorithm to evaluate then rank threats based on their risk.
Then we’ll look at what controls are already in place and those that need to be put in place to mitigate each ranked threat.
As another example, I have a sole data center that’s built-in tornado alley. If that data center gets swept away, I’ll lose everything. To mitigate that risk I’d build a backup data center more than 60 miles away.
That’s one example of a list of hundreds of threats you’d look at on an assessment. But once you do this process, you’ll either be happy with your results or find a few blatant risks you need to fix.
For problem items, you evaluate them on an asset level, see what they affect, and then make a decision.
Steps of a risk assessment…
Threats
Likelihood
Impact
Gap Analysis
Assets
Those five steps will get you through a risk assessment fairly quickly.
Matt: Once you’ve conveyed to them the importance of risk management and they have a clear understanding of what’s required by HIPAA, what’s the next step? Where should this healthcare company start?
Paul: Generally speaking and from a best practices standpoint, yes, you start with the risk assessment. It tells you…
What your expectations are
What your checklists have to include from a compliance standpoint
The location of the gaps in your business
I think in reality, if somebody walks into a hallway and sees a banana peel on the floor they’re going to know to pick it up. They don’t need to do a risk assessment to figure that out.
So we have to encourage our clients and encourage them to have certain aspects before the risk assessment, such as…
Strong passwords
Antivirus
Information Protection
Policies
There are certain gaps that clients don’t need to wait to implement before finishing a risk assessment. Let’s get the easier ones out of the way and pick that banana peel up.
If there's an incident and something goes wrong, the review of the environment is always going to look at if you performed reasonable steps. If you didn’t, then there’s a bigger problem because you didn’t do what you’re supposed to.
All regulations and frameworks need to be a part of your internal processes.
Matt: How does a company determine what’s a reasonable response to an incident?
Paul: So what’s an incident? An incident would be that one of those threats I talked about earlier gets exploited. Sometimes they’re considered to be a loss of data.
Typically you’ll have an outcome that says, “I don’t have the appropriate processes, testing, or training in the event of an incident.” But the first responses that would happen, whether you’re prepared or not would be to…
Review what just occurred
Determine the lost assets
Understand the significance
Where people get into trouble is when they make the decision that they’re “OK” without talking to the right people who determine the sensitivity of the data.
So get a plan together.
If you don’t have one, ask somebody for help. Both you and I know of organizations that can help get people up to speed. Also, make sure that after you’ve filled your gaps and you continue to test yourself. Testing helps make sure you’re never responding to an incident by the seat of your pants.
Matt: Let’s say it’s been a few years after this healthcare company established a risk management environment. They’ve dramatically increased their compliance and cybersecurity across the board. But over time, they’ve noticed how much work it takes and need to hire a full-time CISO.
What qualities should they look for when evaluating these candidates?
Paul: You’re putting someone in a position where they’re going to be in control of determining how to protect the largest, fastest-growing, and most sensitive assets. That person’s going to have a lot of pressure on them.
Look for someone that’s operated in an environment where they’ve been on a team. You want someone who can interact with multiple different people with different skill sets across departments. That way they can more easily drive towards conclusions that makes sense.
Third, I’d look for people who are comfortable with interjecting expectations in a room. That means they’re good planners, speakers, and explainers.
Finally, I’d look for someone who has some business acumen behind them. Technology is great but you need to see evidence that they make clear business decisions.
If you’re lucky you’re going to find someone who has experienced a breach in the past that they’ve had to respond to. Those candidates bring a special kind of experience to the table.
Matt: I read in an article recently published by HealthcareITNews that mentioned that experiencing a breach as a CISO actually makes you more valuable as a job candidate. In the past, an attack happening under your watch acted as a “Scarlet Letter” by the industry. It also mentioned that they face more pressure now than ever before.
How has the overall attitude surrounding breaches changed throughout your career? In your mind, why is this role so much more intricate than in the past?
Paul: I’ll start with the second question there. There’s so much more pressure now because data is the driver of our lives. There isn’t an industry where data doesn’t drive it. There isn't any activity where it’s not involved.
Something as simple as making coffee in the morning now can happen to someone’s phone. Driving to work in the morning happens easily due to GPS and satellite imaging. Everything is data.
As more things become driven by data, the government places more value on certain pieces of data. So there’s a natural increase in responsibility.
Furthermore, there isn’t a device that’s sold commercially today that isn’t built to communicate openly. As soon as you turn on devices it wants to talk to every other device around it. With IT, you’re trying to lock that down.
That’s why CISO’s are so stressed. We’re responsible for the largest set of assets in every organization, period. CISO’s set standards where they often don’t have someone else to point to if something goes wrong. That’s why they have to be someone of character who can own their faults and inaccuracies while moving forward.
We’re also people who go home every night worrying that another employee might click on the wrong email. Which they received email training from another department. So we’re fighting this culture of openness.
From a CISO standpoint, you worry about what’ll turn off the lights tomorrow. Everything is riding on IT.
Matt: Do you think that experiencing a breach makes you more valuable as a CISO?
Paul: I do. Help me find an NFL head coach that’s never played football before. Experience is everything.
Unfortunately, some of the experiences CISO’s need to go through right now are difficult. But where we start to shine or show the value in what we do is by getting ourselves in positions where we reduce the risk of an incident when it happens. The trust and compensation you’ve given us comes out. Then we’ll have the ability to get through problems in a deliberate, structured way.
I mentioned this a little bit earlier but find someone who’s gone through a little bit of trouble. They’re going to know what to do from the missteps they made in the past.
Matt: After evaluating candidates, smaller businesses will soon realize how expensive it is to staff this full-time position. In some cases, these executives can cost $300,000 a year in salary.
These companies would feel relieved in learning that they can outsource this position virtually to a vCISO. These services can cost as low as $40k per year.
What are the benefits and shortfalls of having a vCISO? Do you recommend the outsourcing route in every case?
Paul: I do in certain circumstances. You have to look at the organization itself. Organizations that have greater simplicity and less complexity than other industries can benefit quite a bit from a vCISO. They’re going to get all of the benefits with none of the latency time such as figuring out how to fill someone’s day.
Every moment with a vCISO is acute, deliberate and beneficial. The value and responsibilities of a vCISO don’t change.
But as you grow and find yourself with more departments, several hundred employees, and maybe a department that’s building applications you’ll find that you’ll need a physical CISO. If you need to meet with your vCISO daily, it behooves you to bring them on full-time.
Until you reach that point, understanding your risk, performing a risk assessment, monitoring controls, and interjecting cybersecurity can happen virtually. Which can be helpful before you spend an inordinate amount of money by hiring somebody full-time.
It’s a fantastic option for most people.
Matt: We’ve covered a lot today Paul but before we wrap up the interview is there anything else you’d like to mention about risk management, cybersecurity, or vCISOs?
Paul: So I just suggest to start now. This is going to be something that’s required for most organizations if it isn’t already and it’s growing. But it’s not as hard, expensive, or as painful as you think it is as long as you partner with the right companies who have a little bit of experience.
Don’t be afraid of it. Talk to somebody to get yourself an idea of how much it might cost in terms of time and effort.
Then start the process. I think you’ll find it much more beneficial after you’ve gone through and experience it.
Matt: Thanks for coming to today’s interview, Paul.
Paul: Thanks, Matt. I appreciate it.