This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
UnHack (the Podcast): Transformational Leadership and Shaping the Cyber Industry with Paul Annastas
[00:00:00] Thanks as always to our partner Fortified Health Security. No matter where you're at in your cybersecurity journey, Fortified can help you improve your cybersecurity posture through their 24 7 threat defense services or advisory services delivered through Central Command, a first of its kind platform that simplifies cybersecurity management and provides the visibility you need to mature your program.
Learn more at fortifiedhealthsecurity. com
Introduction
Hi, I'm Drex DeFord, a recovering CIO from several large health systems and a longtime cyber advisor and strategist for some of the world's most innovative security companies. And now I'm president of This Week Health's 229 Cyber and Risk Community. And this is Unhack the Podcast, a mostly plain English, mostly non technical show about cybersecurity, and RISC, and the people in process and technology making healthcare more secure.
And now [00:01:00] this episode of Unhack the Podcast.
Hey, everyone. I'm Drex, and this is Unhacked Podcast, and I am really excited today to have a friend of mine on. This is this is Paul Annastas from Sarah Cannon Research Institute, and Paul and I were introduced by Sarah several months ago.
And this has turned into a bit of a running I don't know, how do you describe it, Paul?
I would describe it as kindred spirits who just, get on the phone and bounce ideas off each other. Enriched my life. I've said that to you many times.
I appreciate that. It is fun. And it's one of the reasons I've played around with a bunch of different formats around Hacked Podcast. I have not settled on one yet. I know I have to figure this out pretty soon. What's the show really going to be and what's it going to look like?
And this is the first time that I'm going to do a long form conversation with somebody. And, you came to the top of my head because of these conversations that we've had, where we just get on the phone and we riff about a whole bunch of different stuff. [00:02:00] So when I talked to the producers this morning I said, So I'm going to record this show with Paul and it's going to probably go all over the place.
And so it might wind up being hard to produce and they're good. So they just gave me that, don't worry about it. You guys just do your thing and we'll take care of it. So really I'm glad you're on the show and let me start by just tell me a little bit about your background.
You have a really interesting kind of career path and how you got to where you are let people hear some of that.
So I've been in healthcare IT for the last 20 plus years, started in the nonprofit world, kind of behavioral health, then moved into large acute care, healthcare, and information security.
Information security was still a very young industry.
And a lot of people say that, \ when I have these conversations with folks and I say, how'd you get into security? Nobody ever says it was an intentional thing, right? A lot of folks just stumble into it.
Yeah, I was, Going from the non profit world to a larger [00:03:00] corporation it was a matter of circumstance and necessity for family reasons. So I ended up with this large company doing information security and never worked in a hospital, implemented this technology. to help the clinical workflow was impacting the clinical workflow.
And I finally came home one day and said to my wife, Hey, I need to go work in a hospital, pick anywhere other than Nashville. Anywhere two to three hours away at Charleston, South Carolina. I was very fortunate. A role had opened in Charleston and that sort of launched the next 10, 13 years of my career working in hospitals and hospital divisions across the Southeast and from there COVID hit, took a little time and ended up joining Sarah Cannon Research Institute.
To help, build a security program or, I didn't say build it was format, but pull the levers and modify it with that treatment plan, right? Here's your genetics that we have as part of a larger [00:04:00] corporation. How will we best protect this research data? Great team, worked through it and fast forward the last four years. That's what I've been doing. And it's been very rewarding.
a lot of times when we talk, we talk about teams and building teams and leadership and culture and that kind of stuff It's always interesting when you come into a new place and you look at what you have program wise and the people that you have in the budget that you have, you've been through this a few times, you have a method or sort of like a plan of how you do this something other folks could learn from.
I always say there's four things. I'm gregarious, I'm pragmatic, I'm direct, but I'm always kind. And so whenever I've taken on a new team or built a new team, it always starts with the same conversation, right? The team successes are your successes. The team failures are my failures.
I will never publicly admit if you've done something wrong as the leader. That's my role. I will jump on the grenade, metaphorical [00:05:00] grenade for you, and you're accountable to me, the person to your left and to your right. So if we do that together with that same mindset, we can accomplish great things.
And I think I had mentioned earlier, we were chatting about this industry shift to people leaders, used to be, Hey, that's my manager. That's my boss. Now that's my leader. And just been reflecting on this the last several weeks. It's like leadership is an honor and a privilege
and
we can't just keep throwing that around.
You have, two types. of leadership per se, right? I'm a servant leader, but when you think about leadership at the base level, you have your trained leaders and your transformational leaders. And honestly, John Maxwell does this great piece on it, but trained leaders have knowledge, right?
Transformational leaders have wisdom, and there's a huge difference. As we look at this in the technology and security landscape. The things I've done throughout my career, especially as I get older they're based on wisdom, not just [00:06:00] knowledge, right? Wisdom is the ability to apply that knowledge that you have.
Back to the pragmatic point. The pragmatic point, exactly. Very guilty of that. If we try something and it works. I'm not saying we can't tweak it, but why are we looking to blow it up, kind of thing. Servant Leadership, I have an old tattered notebook. It has, my, my three things, right?
It's Customer Focus, Servant Leadership, and Humility. I try to approach and attack everything with those mindsets.
do you think the learned leadership is the kind of thing, yes, in cybersecurity, but just in general, I think, is learned leadership, is this sort of like a process you have to go through?
So you learn to be a leader early on in your career, but then the more seasoned you become, the more transformational kind of leader that you become. Do you ever see anybody start out of the gate as a transformational leader?
I'm not saying it's impossible, but I think we're all a collection of experiences, right?
And those of us that were blessed with [00:07:00] toxic leadership early on, became transformational leaders.
Dude, so you and I have talked about this. I have learned so much more from the bosses that I've had that have been terrible bosses than I've ever learned from people. The bosses that are good bosses.
And part of that is like the bosses that are good bosses, what they do that makes them good bosses sometimes is so like weirdly nuanced, that it's hard to understand what it is that they're doing. And the bosses that are bad bosses, it's so clear I will never do that. I will never do that. I will never do that.
And that just really speeds you to your point on your path of being like a better leader.
Yeah, and that was the only job I ever walked out of without having another job, literally, in the heat of the moment, was from that boss. And, this was maybe six months before I was getting married, and, my wife to be was freaking out.
We did okay, I landed on my feet, but I knew right then and [00:08:00] there, so you have that bell curve, right? You have the toxic, bad leaders, bad managers. And then you have, the majority, and then you have those people that just make you want to be better, do better.
And, I often during coaching and mentoring sessions, it's so when you're taking over a team, do you want them, to follow you up the hill, is that the type of leader that you want to be, or do you want to inspire them in such a way that they're holding you back saying, we've got this?
Okay. You've done this for us. You've trained us for this moment. We're going to march that hill, and we're going to do everything to protect you. And it's always interesting to hear the answer. It's I want to be out in front. Why? And there's usually a dissection there, and we have a long conversation about, the differences.
It's just do you want to be liked or likable, right? There's no right or wrong answer. Everybody has their preference. But when you're liked, you're trying to please people. When you're likable, you're going to have to make hard decisions. And that's what [00:09:00] being a leader, being a manager, that's what it's all about.
It's making those hard decisions. for the benefit of the team.
totally want to get into the mentoring conversation too. Do you think is some of the situational decision about I want to be a leader who leads from the front or I can't, in some cases I really want to be a follower I don't know.
And is all of that some kind of sign of maturity in the individual that they don't have to always be the lead from the front person?
I think it's part that, but I also think it's part of the current culture and environment that we're in, so employee engagement,
When we all do our true up of these to our employees who strong nine box, all those routines,
all the
surveys and right.
And people that are career minded they tend to want to be in my experience in the front because it's, the culture. and the environment is very much, what have you done for me lately? How have I made a lasting impact? For as outgoing as I am as a person in business, I usually sit back and am the [00:10:00] last to respond or try to be, just take in all the knowledge and only provide that pragmatic, feedback.
So that's probably hurt me some in my career. Because it's always, again, soundbites, right? We talk about soundbites, quick hits. What's the lasting impression? What's the most recent impression? So I think it's a mix. I think it's the maturity level. And I think it's where they are in their career and what they want to do.
Yeah, it's there's this Remind me, you've been in the military?
I was not, no.
You were not, okay. There's this concept that we talk about sometimes at This Week Health on the team of tactical patients. And The it's essentially almost exactly what you talked about, right?
That, you need to make a decision and you will make a decision and you won't make it emotionally, but you sit back and you listen to information and you gather information. And at some point you're never going to, you realize you're never going to have all the information that you need to make the very best decision.
[00:11:00] But this is also part of that seasoned leader. Practice, right? That you can figure out, okay, I have enough information to make a decision that's probably 75 percent right. And I can adjust FHIR, I can adjust my decision after that. And Yeah. I think some of what you're talking about is that tactical patience, even in a meeting, right?
Even if when it's not a big, giant long term plan, but just in a boardroom or in a conversation.
Yeah. You fall into sometimes in these larger corporations analysis paralysis, in some cases, process paralysis, like so many people need to sign off on a decision. You lose the intent.
And so having that. Ability to be agile in all of the things you do, not just, software development, but. But literally in, strategic thinking, tactical decisions how do you gain consensus and what are the feedback you need to have with the people closest to it?
And that, I think that's something that often [00:12:00] gets lost, right? So I understand that certain people are accountable to board of directors, shareholders, at some point we need to stop and look at, All right, this person is closest to the action, especially in healthcare, which led me to go work in hospitals.
If I make this decision, am I putting a patient's life in danger? And , those were real decisions. And it was fascinating for me to spend time in a healthcare setting for so many years and truly understand that what you just made from the ivory tower, that decision really added, 10 minutes paperwork or took away five, either way, you're having a positive or negative impact.
So make sure you fully vet the decision.
Yeah, I think sometimes too, it's not just fully vetting the decision before you make it. That tactical patience of making, making the best decision that you can make at the time. I was lucky enough during the Gulf War I was in theater with Colin Powell and Colin Powell had a thing that he would say over and [00:13:00] over again lacking any other evidence, the guy who's on the front line is probably right.
So this idea of if that person is telling you that they need something, they probably actually need it. Or they probably actually need for you not to do it, whatever it is that you're thinking of. So he was really big on, and I'm a Toyota lean production guy. This is going to Gemba. This is, all of that same sort of concept, go to where the work is done and see what's really needed.
And you can, and it's okay to just go and try things out and whether it has the impact that you actually intended. Do an experiment, try something in just a really small bite and see if it works. That kind of tactical patience is important too, because you get to really see this is how it's gonna affect the folks who are doing the work at the front line.
Yeah, and so that kind of brings in the notion of the Peter Principle, right? If you're familiar with monolithics, right? Promoting people to their highest level of competence. We see it sometimes in technology. We take these really intelligent, [00:14:00] really, great CVs, great backgrounds that get promoted to these roles and they want to just attack, right?
There's no tactical patience. There's no taking a minute and saying, Whoa, hold up. How do we look at the full? battlefield, right? what are we trying to solve for?
And
so it's that, yeah, again, tactical patience, just taking a minute. And again, you don't want to get mired in having full consensus on everything, but you have to build the culture, right?
That empowers. ORs, operating rooms, are the greatest example of that. The whole timeout process. Anybody in the OR can call a timeout. Brilliant. Brilliant. Because of the increased patient safety by, X number percentage. It's just so small too, right? So we need to look at it organizationally for a lot of things, my opinion, and observation and experience.
It's as you think about cybersecurity in particular, and this idea of like timeouts and Toyota lean [00:15:00] production, we would call that stopping the line. There's literally if you ever go to a Toyota plant in Japan and you spend time and watch people working on the line, at each individual station in the assembly, there's something called an Andon cord.
And that worker can actually reach up and pull the Andon cord and stop the line. Because That person seeing something that is probably messing up the whole process.
And
they can stop the line and a bunch of people come and they all listen to the problem and they fix it and then they turn the line back on.
That's the idea of the sort of timeout, the checklist manifesto kind of stuff that applies to. Airplanes and nuclear submarines and ORs. How do we do stuff like that? How do you create things like that in cyber security?
Sure. First of all, great book, Checklist Manifesto.
Love that book. Yeah. again, I can't harp on this enough, culture, right? We're not everybody goes to an organization, large or small, and they all have [00:16:00] their, whiteboard material, right? It's, here's our values, but. As a team, large or small, you need to take the time and do that same sort of exercise.
And realize as leaders, you don't work for me. The most uncomfortable I've ever been is when somebody calls me their boss. And it always became a running joke, but I truly am uncomfortable because I'm here to block and tag. That's my job is to remove roadblock. If I'm the smartest person on the team, I have failed.
And empowering people, setting up those values, right? One of the values have healthy conflict over artificial harmony. How are we advocating to do the right thing, at the right time, all of the time? If we can commit to that as a team, I think that's where we get into that, pulling the line
and
saying, hey, we've got a, we've got a problem here and making sure that you're communicating with impact, that we're not just making noise here.
You've got to have the credibility to hold everybody [00:17:00] accountable, including self accountability.
Yeah, think this whole point of don't call me boss. And it's not really don't call me boss. It's just I have a really good friend. I hadn't thought about this for a long time until you just said it.
I had a really good friend who used to say all the time you work with me. When you start working for me, that's probably when we have a problem,
right?
That's great. I love that.
Yeah.
That's great. That's exactly it. The concept of team, it seems simple. Most of us grew up playing team sports.
We all wanted to be the superstar, but as we get older and wiser, again, coming back to wisdom, we got to realize that you can't be the star quarterback. You can't be the home run hitter. You want to have everybody achieving at the same rate. And everybody being okay with challenging, right? If you're not challenging the status quo you're not going to have a successful team.
And again, all of these are great thoughts and ideas, but you still have the human.
And then we're like the role player [00:18:00] comes into this too, right? You're trying to find people who do some things really well, and they really love doing that thing. And then you're trying to assemble a team that kind of covers the waterfront on that.
And being the leader you have to recognize that and put them in a position to succeed, but at the same time, while they may be good at it, they may not be passionate about that. So you tie it back to culture. Okay. If you're not passionate about that, what else are you good at? How else can we help you be successful?
Because you're making the team successful. Peter Drucker had the greatest thing. I've mentioned culture probably ten times, right? Culture eats strategy for practice. That's right. Stop having strategic plans. We need those, right? Those are the three, five year out. But, if you don't have a workforce that's engaged that's, United behind a set of values and a mission.
And if you don't understand people, we're going to continue to see, I think with Splunk, who their recent studies showed 79 percent of [00:19:00] cyber security personnel are burnt out. Yeah. SOCs, security operations centers 24 by 7 being pressured to work more faster with less. There have been some unfortunate industry things that have happened that have shined a spotlight on us.
Yeah.
And those events create the no, we're going to have to work the weekend again this weekend, and we're going to have to, can we just sleep on the couch tonight? Because it doesn't make, why would I drive home for an hour and a half just to be back in, three hours?
That's not a great way to go through life. No.
No, and if you would have given me a bingo card where somebody was testifying in front of Congress talking about multi factor authentication, nobody would have won. Not last
year. You would have never, you would never picked it in 23 to be happening in 24, but here we are.
Yeah, and we're focusing on it, which is great. So it's given us, more finance financial abilities budgets are increasing, but we're not, The labor force just isn't catching up yet, [00:20:00] right? There's a struggle to hire Qualified individuals and I have philosophies on how we should approach that but You know right now.
It's a tough industry to be in
And in health care I think, especially. Part of that is just, we sometimes have antiquated systems and antiquated networks. Everyone that's listening probably has been in a hospital, you know how hospitals are built, you know how hard they are to navigate.
Cause they've been added on over time and the floors aren't exactly level in the next building. And you can be on the first floor and then move over one hallway and you're on the fourth floor. There's all that weirdness, but that whole thing kind of permeates into our infrastructure and our information services world too.
And that makes it really hard to secure. So it's hard to get good people to come and see this and get excited about. Staying for what they're being paid often too, right? Compared to what they can make in big tech [00:21:00] companies.
Yeah, I was asked once in an interview when I was leading the acute care setting, What are you most excited about?
And I said, I'm most excited about not living in fear of my phone because hospitals 24 by 7, 365. Being out in front, being the one throat to choke, one back to pat I oftentimes got the call and it was exhausting, but it was worth it, right? If I could contribute just this much to improving the patient experience, to improving patient outcomes.
That's why I showed up. That's why I still, like I always joke, you've heard me say it before if we've cured cancer and I'm out of a job, I'm okay with that. Yeah. And that's the great thing about the organization is we continue to conduct these trials and we continue to get closer improving outcomes.
I'm okay if one day, our CEO comes in and says, that's it. We've done it. Okay, cool. Yeah, thank you very much. What's
next. is an interesting sort of a reality that we live into that while it's a really challenging [00:22:00] and maybe underpaid and really frustrating world that we work in, the mission is really second to none.
That idea that and I tell a story, all the time, the best job I ever had probably was at a children's hospital. Cause when you get onto an elevator with a mom who has. Conjoined twins in a little red wagon. You realize a bunch of things. One is I don't really have any problems. I don't know what I was complaining about this morning, but those aren't real problems.
And the other part is, it's just like really clear. What you're doing today and who you're doing it for. Yeah. And so the mission really outweighs a lot of that other stuff that holds us back.
the mission is for a healthy organization. It can't just be words on paper, right?
We have to have those examples and we do a great job. We have mission moments. We try and connect to the mission before meetings and just share those. And it can be something very small. Or it could be something very large. And that's what's always driven, my wife has always said, [00:23:00] you're pretty crazy.
Because stuck with it for so long. I've worked ridiculous hours at, personal cost. But it's, to me, it's worth it. And I've always wanted to be part of something more than just, my three foot world.
Yeah. Is there something I haven't asked you about that you want to talk about? Because I'm going to go on to another kind of interesting part of this.
Let's go.
Okay. So I don't know if you listened to Tim Ferriss. There's a guy who has another podcast called Tim Ferriss podcast, and he has a book called Tribe of Mentors, and it's a really interesting book because he asks a set of questions of a lot of different folks that he considers mentors.
And so I'm going to run through a couple of those questions and just see what you got. You read a lot. Obviously, you have read a lot and I'm, as I remember, like you seem to always have something kind of cooking, right? What are you reading right now? And as a book, what's a gift that you give to people that you think makes a difference?
I'm a little crazy. I never read one book at a time. [00:24:00] It's not fiction for me. It's usually things. That enrich my life. I always carry with me when I travel the last several years, the old Stoic books, right? The Enchiridion by Epictetus, Marcus Aurelius Meditations, and Letters from a Stoic Prince, Seneca.
Because they're short, quick hitters, right? Those are the classics. Start with the why, Simon Sinek, I'm re reading There's another book, it's actually right here. It's Inspired Greatness, How to Motivate Employees with a Simple, Repeatable, Scalable Process by Matt Tenney. I read all of these books at once.
Yeah.
And it's just to glean something, or that light bulb moment. Hey, what if we applied this today and see, right? Cause again, we're trying to push and pull levers to get the most out of our teams, out of our organization, and to inspire people to do better. Yeah. We want people to, contribute and have a positive impact.
That's what transformational leadership is. It's using that wisdom to apply the knowledge, to improve culture [00:25:00] objectives, strategies. And in terms of GIFs. It really depends on the person. If it's a new leader, I always give them the five dysfunctions of a team.
Huh.
Yeah, I love that. Because I like that it's told in the very storybook, and it was ingrained in us from a leadership perspective to help understand that pyramid, right?
Trust, accountability. So that's one that I usually give new leaders I'm lucky enough to coach or mentor. Huh. I
like it. Here's another one. This is just about a life hack. as you go through your own, this could be a thing that you've bought, this could be a thing that you do, what's the thing that you've picked up maybe in the last six months that is the thing that's given you a superpower?
I would say a life hack for me is the ability currently, because I really had a hard time when I started this. Throughout my career is to just to walk away and just take a moment and not let everything affect you personally, because there's a difference between passion and emotion. Some people will say passion.
It is an emotion. I'm pretty passionate about what I do. [00:26:00] And when I get passionate, sometimes it gets consuming. So being able to step away from that and recognizing, okay, Paul, take a beat.
Yeah.
Do a lot.
Don't go into a defensive crouch. I've always talked to my teams about that.
Like sometimes, especially when you're getting criticism about something, your tendency is to start defending yourself instead of listening. So I love where your head's at with that one.
Yeah, because it's, to me, sometimes things seem so clear. It's right in front of you.
I'm trying to tell you here's the answer, right? Here's the Holy Grail. We've done this before. Just listen and not, and it's this is going to end badly, so let's just take a beat.
this is my fault. I'm not explaining this properly. What's your favorite gadget right now?
What's a cool thing that you've picked up recently that you're like, oh man, I'm glad I found this, or, I'm glad somebody turned me onto this thing.
This is gonna sound weird. I wasn't a very heavy social media user.
Uhhuh .
I have an Instagram account. I just discovered Reels [00:27:00] and I really feel like Reels Mine is very much finely tuned and if I need a couple minutes to just reflect, I know you're thinking, Instagram, mine, based on the people I follow, like Simon Sinek, and it's just very carefully curated for a laugh or for a really deep thought.
And I will say I'm really enjoying the new iPhone with the camera button. We've had to do Oh, you've got a
16. Okay, that's a good, okay. Okay.
I do and just being able to quickly grab and capture the moment has been pretty cool.
That's good. Hey, if you had the chance to hang up a billboard and millions of people could read it, what would the billboard say?
That's a good one. So many things I want to say. Rapping fire, all the synapse going. I would say it would piece of advice. I give giving it to my children. I've given it to people I've worked with. Be your authentic self, right? And don't lie. Those are two things I would say. Practice and [00:28:00] live by because you get into that trying to be somebody else, and I was guilty of that early in my career.
Sure. Trying to answer questions like I would think the big boss wanted me to answer them instead of answering how I truly felt. I lost a sense of authenticity there. And coming back and just making sure that you are your authentic self. Might not be for everybody, but that's okay. As long as you're respectful just be your authentic self.
That probably makes you more likable too, right? That, that you are more accessible because you are the person that you actually are. You're not pretending. You're not a poser. You're not the person that you think other people want you to be. So yeah,
that could be part of our kindred spirit thing that's happened here.
I got that feedback, yesterday I was having a mentoring session and The person said to me I think one of the reasons I've gravitated towards you is because you're authentic, but you're also vulnerable and transparent, right? Because, people think that title sometimes dictates [00:29:00] you have to behave a certain way, but yeah, vulnerability.
transparency are very important.
I think that's good advice. That makes for a really great billboard. Speaking of advice, this is the last one. what is the chronic bad advice that you hear leaders giving? people that work for them or people who work in healthcare or people who work in cybersecurity.
There's usually a thing that most of us hear that we're just like, that, I don't know why people say that. That's just terrible advice. What's the thing that you've picked up on?
I think it's some version of if you just work hard and do the right thing, it will pay off, right? I think that's the one thing we've all heard some version of.
And that's part of it, right? I was once asked, what does it take to be successful? I would always say many parts, hard work but then it's luck and timing. Yeah. Did we make that impression at the right time? And were we lucky [00:30:00] enough that an opportunity you wanted was available?
So it's not just that that's just one A. And then there's B and C and sometimes D that goes with it to get, if we completed that thought as leaders, I think that would be better advice, especially newcomers in the workforce.
Yeah, I love it. Hey I really appreciate you being on the show today.
It's been a lot of fun. I'm sure I'll catch up with you again soon.
Absolutely. Thank you.
That's a wrap for this episode of Unhack the Podcast. Do me a favor and share this episode with your peers. And by the way, your feedback matters, so please subscribe and rate and leave a review wherever you listen to podcasts. I'm your host, Drex DeFord. Thanks for spending some time with me today. And that's it for Unhack the Podcast. As always, stay a little paranoid. I'll see you around campus. [00:31:00]