This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
[00:00:00]
Introduction
Hi, I'm Drex DeFord, a recovering CIO from several large health systems and a longtime cyber advisor and strategist for some of the world's most innovative security companies. And now I'm president of This Week Health's 229 Cyber and Risk Community. And this is Unhack the Podcast, a mostly plain English, mostly non technical show about cybersecurity, and RISC, and the people in process and technology making healthcare more secure.
And now this episode of Unhack the Podcast.
Hi, I'm Drex. And this is Unhack the Podcast. We spend some time hanging out with some pretty cool people and today is absolutely no exception. Hi, Matt Christensen, how are you doing and what's going on out toward Intermountain Way?
Hey Drex, thanks so much for having me and doing great. We're just. Staying busy. That's the easiest way to describe what's going on at Intermountain is we're busy.
You guys are always busy. There's always something [00:01:00] interesting happening out there. You're always on the cutting edge. You have a lot of cool stuff happening.
You're in the Eric Decker team, so there's no shortage of excitement because of that. Tell me a little bit about your background and what you're doing now, what your job is and what that entails and just give me some insights to the work that you're doing?
Sure, you bet.
So I've been in cyber now for about 16 years. My introduction to cyber came from a college professor who said, unless you have people going back to being honest, you'll always have a career in cyber. And that hit home with me early in the, what do I do phase of my undergraduate.
I was actually in entrepreneurialism and marketing. Those were my two majors. And then I took a. An I. T. Class and had this amazing professor that just , opened the world to me around cyber changed everything. Yeah, Dr Randy Boyle, give him a shout out. You know what I do on the day to day.
So the way that Intermountain has broken up our cyber security team is in pillars and in [00:02:00] services. So the services I have stewardship over, we call assurance. So think of, governance, risk, compliance. You've got disaster recovery in there, you have training and education, and then the other area would just be our mergers and acquisitions and divestitures.
All of that ultimately rolls up into what I do on a daily basis. And you mentioned Eric, I have to say, yeah to have him as my direct boss and the Intermountain CISO is just, been incredible. The leadership that he brings is just phenomenal.
There's so many things I want to talk about with you.
let's start with just, you and Eric and the H. S. C. W. G. and I feel hugely fortunate to be a member and to be involved and to be able to see the work that you all are doing and talk about the work that you all are doing. But is your membership in the CWG something where you got pulled in by Eric on something?
Or is it something that you've been involved in for a while? How'd that come up? Cause you're running some of the, groups. You've been actually a group lead on
many. So he, so Eric has never, he's not the leader to force anyone into something. [00:03:00] I, one of his greatest strength is let you know the opportunities and then you decide,
if you want to do anything about with it. Yeah, one of the groups that I'm working on right now is just the enterprise risk management. Just writing guidance for how can small, medium, large practices. Roll out, E. R. M. And how can they be successful specifically since it's not just cyber focus.
So that's one area that we're working on. Another area that I just barely got looped into is actually where we're defining what systemic risk is. So it actually it's gonna up in the way that I think organizations and specifically in health care do third party risk management. So instead of just focusing on
a one to one relationship you with the vendor. It's what about all those 4th, 5th, 6th party dependencies that we all rely on, or at least our 3rd parties rely on. We, our world was opened, last February with a large cyber incident, right? When 1 major player got taken out and we all saw that downstream [00:04:00] effect.
So that's what this working group is really focused on. It's just honing in on the critical areas. In the delivery of care that ecosystem and then, honing back on how can we protect not just one vendor, but the entire system. Hence the name systemic risk.
Yeah, it makes sense. There are partners that we are all plugged into. And when those partners have problems, we all have problems. And 2024 was like the year that. Showed us that, over and over again
In multiple industries, airlines took a huge hit with the particular, single point of failure, right?
Healthcare took their hit as well. Yeah,
It's amazing. One of the things you and I have talked about is the human part of this. You started a big deal on LinkedIn. A bunch of people jumped in on the conversation, but you made the point that most breaches.
At the 90 percent level start with the human something is happening the person's you know made a mistake So why aren't 90 percent of the conference's content? Focused [00:05:00] on the human the first line of defense the weakest link we always talk about that being the human but it's not, it's usually about, technology or new techniques or something like that.
It's not about that human weak point. , what are your thoughts on that? How do we make that better or fix it?
Yeah, that was an interesting post because. You always wonder how the committee will take certain, provocative statements. Do I believe that 90 percent of the conferences should have 90 percent of the content be focused on securing human?
I don't.
Yes.
But it blows my mind that asset number one, which is you and me, if we work for an organization. Tends to not get the level of attention commensurate to the risk. And this is true in all the frameworks too, right? What's the first thing that you do in most of the frameworks is you inventory your systems, you inventory your applications.
But you don't see. Training, educating, inventorying your people and the risk that they present to [00:06:00] organization until it's closer to the bottom. I put that out there mainly to start a conversation and say, how can we ensure that area isn't overlooked? Because it is true.
90 plus percent of significant breaches start with breaking a human first. And the bad guys know this.
That's why they're successful,
they've been incredibly good at it. Again, I go back to 2024 calling the help desk and getting passwords reset and getting MFA. Devices re registered and all of the things that they've done to manipulate the person in the system to get access to the system, not pounding away on the technology and figuring out how to break it.
There's plenty of that problem too but like you said, most of it started with some kind of stolen ID or figuring out how to get an ID and an MFA through an individual. That works with the company.
Yeah. And I think there's an opportunity for all of cyber to update their training education.
A lot of us are required to take quarterly trainings and those quarterly [00:07:00] trainings. It's we've seen this so many times and it's how quick can I click this through without getting in trouble? Or maybe it's not necessarily repetitive content. Maybe it's the way that we're wording things.
Like the average employee probably doesn't even the term social engineering. So if you blast your content filled with these technical terms, it's just going to go right over them. But when you can break it down into this is how a help desk call that goes wrong could impact the service that you provide.
Now you got their attention. I think most of the opportunity to boil training and education up is within cyber itself, and I'm actually fan and proponent of not just. Measuring training and education that seems very check boxy. What I want to do is measure behavior change. want to see what good behaviors people are doing more of or should be doing more of and what bad behaviors they're doing less of.
to me is far more effective way of actually measuring progress.
When you talk [00:08:00] about, the human and all of this is certainly the frontline human, but for. You at your level. A lot of your support has to come from the leadership structure above you at the board tell me how you do that.
you talk to maybe very non technical people on the board or very non technical people in leadership positions about these technical things and help them understand why cyber security is issues. Really important. What are some of the techniques that you use to make that case?
I'll share some that I've used in the past and some that I know that, our current leadership leverages and you don't BS your way around it.
I think the easiest way to garner the support from a board member is to speak their language. So it's not flooding them with. Eight million, incidents in the sim and all these like lagging metrics. I think it's more identifying these core systems that truly allow the business to run [00:09:00] and then saying, let's just go through a scenario.
These systems are down for a prolonged period, not hours, or days, but potentially weeks or months. Now, how do you run your business? And what does that mean if we have to completely rebuild, how do you continue to deliver care in our world versus we have to divert, and I think when we can speak at that level and not just theoretical, but plan it, build it, exercise it, actually take the things down, now you're talking their terms, which is how does this impact our customers?
What does that do to the communities we serve? There's, there's a whole bunch of scenarios there but I think that's the easiest way. And it isn't easy. That is hard work. Anyone that claims to do that in a short period of time. It's probably just exercising or having a workshop, not actually focusing on operational resiliency.
A lot of this takes time because it, you really have to get to [00:10:00] know the people that you're presenting to, too. You need to understand what, It charges them up or what makes them tick. It can be a business, operations person or a clinical operations person. But when you get to the board I use this example all the time, but I made a presentation to a board
one of the board members was a professional golfer. And so you have to try to figure out and you never know, right? This is yeah. Looking at the people that are in the audience, you're going to present to and try to figure out how do you connect with that person? Like you said, that's not easy. It takes a lot of work.
Yeah. Unfortunately in my role, that is something they're smart enough send Eric, to, they're going to send the CISO for that. But that is, he doesn't just play the game. I don't think any wise CISO would, how can you swoon your way to the board members? think the smartest.
first are collaborating with their chief information officers or the equivalent, right? That way, together, they're telling a compelling story and it's not two separate stories and two different priorities. And [00:11:00] then it's. Teaming with your peers across that organization. So that truly it's not just see.
So in fact, one of the best success metric is when you have a board member bring up cyber or when you have someone presenting the board about a risk to cyber. It's not coming from the sea. So now I think you've reached an optimum level.
Yeah, I think that's a great indicator.
want to ask real quickly about this. I saw that you presented something a while ago called the firehouse can't burn down and we have all these fires going on in Southern California right now, and for some reason that it is terrible. We all have friends down there. That have lost clinics.
I talked to a friend of mine earlier in the week, and one of the clinics and their health system had burned to the ground. Folks are being evacuated. crazy, but it caused me to think about just name wise. It caused me to think about this presentation, and it sounds like there's a little bit of a story there, and I'd like to hear it.
I live in a rural town where multiple times every week our family been able to watch this firehouse.
[00:12:00] I've never been able to watch a building, built like this, erect like this, and see all of the steps that have taken. So then I started doing research because I noticed. They don't use wood studs in a firehouse. It's all steel. And I noticed that they layer the outside with multiple layers of, I would assume, I don't know this to be fact, but I would assume it's some kind of a fire retardant insulation.
And it's meticulously placed. It's not just a roll or a blow in. It's very prescriptive squares. And so I started doing some research and I was like, how often do firehouses actually burn down? Oh, and then they spray the whole thing with this black, retardant on it. And I found that in Germany last year, in October, there was a firehouse, didn't burn to the ground, but it was, 20 to 25 million dollars in damage.
They lost 12, 12 of their vehicles and their fire hall and everything. And when asked why the fire alarm didn't go off at [00:13:00] the firehouse, they said experts determined that a fire alarm was not necessary at a firehouse. So here you have a scenario where you've got people that they live and breathe' putting out fires.
Surely if they smell smoke, something goes awry, they're going to be able to put out. It's the fireman's job to do that. But in this case. It didn't happen, they lost 25 million dollars for not putting in a few thousand dollars worth of monitoring. And so I got thinking about this, that in cyber, we can't let the firehouse burn down.
It has to be programmatically sound. There are just non negotiables. You have to build a program in a certain way. Otherwise, you're going to have incidents and not even know it. So that was the talk that I gave at a conference and I literally, it was one slide and I showed a picture of this firehouse being built and we had some great discussions around it, but I think it just goes to show you can never be too sure, don't skip the most fundamentals.
That's typically where we get burned.
Yeah, the [00:14:00] basics, it is, if you look at the stats and you look at how we are attacked a lot of times, it's just if we did the basics. We probably could avoid, most of it or we would push them to somebody else who has avoided the basics, but the basics, it's the fundamentals.
That's how we keep herself safe.
I think about that, Vince Lombardi where it's gentlemen, this is a football and gentlemen, this is a football field. And my team gets so tired of hearing me say we got to master the fundamentals because I think it's just. It's in those details that if you've been in cyber long enough, you can skirt around, you can I got that, you have that basic level of understanding but if you want true programmatic growth and maturity it's mastering those fundamentals.
Yeah. And just building that foundation, super solid. Hey we'll do a little bit of maybe a lightning round here. This is maybe where folks get, get to know you a little bit better. The first one's kind of the bridge between work and personal, but what's your [00:15:00] favorite metric
whatever you want it to be.
For work, my favorite metric is when an individual contributor gets recognized by a senior executive. I love when that happens too often the leaders get the recognition for the work of the individual contributors. So that's one that, that I like. Another one that comes to my mind is when you've got a process that you own, that's a pain in everyone's side.
And you're just getting, peppered with this is broke and here comes another escalation from this VP and there's 80 unresolved tickets when you can fix that and go months without having a single escalation. That's an intangible, incalculable metric when you actually think like true metrics.
But it's one of the most rewarding when you can actually see like we fixed something that was systemically broken that's something that one of my leaders has done With a program that he's owned and it's been so fun to watch we were joking the other day We're like we hit six months without a [00:16:00] single complaint.
He's I think it's actually longer
Don't jinx it
Yeah,
I remember at one point coming into a health system and it was part of a turnaround. And every time we had a downtime, we got an alert through email or, our folk, we had a system and everybody got alerted through, like
Nagios or something.
Yeah. Yeah.
And so I used to print those out and just tape them on the wall inside of the door where, when you open the door A hundred pieces of paper would flutter and it just drove everybody crazy, but it refocused everyone right on the okay, what are we doing here that we have so many outages so chronically and over time, the pieces of paper came became fewer and fewer, but that, okay, there's no paper today.
What's happening?
It is really interesting. I used to dot to the CEO of our health insurance arm. And so I got to sit on his executive team and I was a part of his regular staff and it was just, it was such a great learning moment for me, but he had something on his board [00:17:00] that basically said every call to our call center is a failure in his world.
He's C, C. O. But had the C. I. O. Technically reporting him as well. And he viewed that, the notice or every call that came in, it was someone that couldn't resolve something and needed help. And he said, so that was his reminder bettering our systems, bettering our, how people log into our systems, the user experience.
And I've always remembered that every call is a failure.
Yeah. Okay, here's the next one. I know you're super busy. I really appreciate you taking time to do this. When you get unfocused or you feel sometimes a little overwhelmed, what do you do to get out of that? What's the question you ask yourself?
What's the, what's your technique to get out of that? Because people feel that overwhelmed feeling, I think, more now than ever before.
That's one that I wish I could say I'm an all star at, here's everything I do but I get overwhelmed just like other people. I think just recognizing when you have [00:18:00] that paralysis by analysis taking the big thing and finding a way to just chunk at it, but keep moving forward.
And that's something, anyone can do in their personal life or professional life, but. But even this last week, I had really good discussions with the leader that was really just I'm stuck. What do I do? How do we make progress? The whole time the conversation was just you could tell that this leader felt.
overwhelmed.
And
My job was to help him understand how can I break this down into smaller pieces to move it forward rather than just try and, build the perfect thing.
last CWG meeting, actually somebody in the audience said something to the effect of It's really hard to eat the elephant one bite at a time when the elephant is standing on top of you and stomping your guts out.
I
think there was an AI generated image of that. If I remember that exactly.
Yeah, I think I'm trying to remember who actually did it. Somebody put it up pretty much. In the moment, it might [00:19:00] have been
Raj from Deloitte. I can't remember, but it was awesome. or Ed from Cincinnati.
I think it was Ed from Cincinnati.
That's right.
The other thing I think is just to, it's good to walk away from the computer, like it's good to take that time off. It's good to turn off notifications. I think just we own our calendars, right? Like ultimately at the end of the day, if we're overwhelmed, we should first look at ourselves to say, what have we over committed to?
What have we said? Yes. Or what meetings are we going to that we're not needed there or the meetings not near it even needed. So think there's an opportunity to look within before you blame the system and say, I'm just. Yeah.
Yeah. No, I'm with you. There are a lot of young people who are thinking about coming into cyber.
What's your best advice for them if they're thinking about going down that path?
I think just figuring out where they can find their niche. The way I got into cyber wasn't through [00:20:00] cyber. It was through a anti fraud certification I also furthered my career in cyber by getting experience in internal audit.
Sometimes the best way to get into cyber is to start first outside of cyber. Specifically if they're looking to get into healthcare, I think it's important that they view themselves as a caregiver. And that sounds really weird because typically you just think of the clinicians as the caregivers themselves.
But that's a term, a former CEO of ours. Really said I don't care if you're sweeping the floor if you're running finances Or if you're providing care, every one of you is a caregiver. And so I think if they come in with that mindset of my job is to help patients receive better care, or if they work for an insurance arm to, to have that commensurate service on the payer side, I think if they truly reflect this themselves as if they're directly providing care to the patient.
Then they'll come in with the right mindset. If they're coming into healthcare to have a [00:21:00] career in cyber, it probably won't last that long. Just because you truly have to have that feeling of it being a calling. Yeah. To last in cyber and in healthcare. The other thing I would just say, other than finding a niche.
Is you've got to differentiate yourself from the other incoming graduate students or the other incoming applicants. And the best way to do that is not through phoning a friend and saying, Hey, buddy, can you help me get hired? But demonstrating that value you can bring day one. So show me what relevant experience you have that is indirect to cyber.
I firmly believe someone that understands. Good communication that can, be a quick read like you have a place in cyber. You don't have to have computer science degree or an IS degree or 15 years of, networking to add value. I think you just, we need people that they're committed to the cause and that they're willing to learn.
A lot of this is back to the fundamentals, right? It's fundamental. I'm [00:22:00] really good at solving problems. I'm really good at communicating. I'm really good. I'm a good teammate. I listen. I learned quickly. Yeah. Like a lot of those are just, the best people that I've ever, not just in cyber, but into anything as an executive, anyone that I've hired, I'm looking for those traits.
I can teach you all the other stuff, right? It's it's interesting. The last question. It's interesting that we have gone down this path. Part of the, I think, genius of being in healthcare is that, people show up and they are, they like the mission and they want to say yes.
And so they say yes to lots of things, they want to help, they're asked to help, they say yes. But sometimes that also, back to the previous question, gets people in trouble. They say yes to too many things and they've over obligated and then they really get stressed out because of that. You're at a point in your career, as am I, where Saying no maybe has become as important as saying yes, let's just say since the pandemic, what have you become better at saying no to [00:23:00] than maybe you weren't earlier in your career
meetings,
Meetings.
I think that's the very first thing that comes to my mind is. We just fall into this cyclical rut of meetings is how we get work done. Now, if it's a working meeting, then I'll say yes to that because at the end of the day, you just got one step closer, to the objective. So that's certainly something I've become maybe not even just more regular with, but maybe more known for is hitting that decline button.
And I don't say that out of pride or to say I'm more important than the person sending that invite. But we have to be able to get done the work that we need to do. So yeah, meetings is one thing that I've gotten good at saying no to I think the other thing would just be the number of projects that we can tend to find ourselves with.
It's not uncommon that a single team, so not all of cyber, but a team within cyber could have 30 or 40 [00:24:00] projects.
And all the data operations stuff that they have to do
too. And you've got more than half of your staff that's doing ops work. You've got three times more demand than you have capacity.
I think Culling that project list is just, it's so necessary. It feels so good when you just say, we're not doing this project and this is why it also forces that conversation and saying, is the work we're doing, does it address the threats and the risks that we're faced with?
Or is this a nice to have, so those are the two that come to my mind.
I like it. I like it. What haven't I asked you that I should have asked you while we were talking?
If you got enough with personal, I'm good with that. I love that you asked advice for getting young people in or not, maybe not even young, but just people who are new to cyber.
I'm incredibly passionate about that. devote a lot of my free time to helping people break in. And I've [00:25:00] seen some incredible success stories. And I'll share one example. And I can't take any credit for it, but I saw an individual do a complete career shift. I don't know his age, but I'm guessing he's in his fifties.
Did a complete career shift with zero cyber experience. And literally started at ground up, took an apprentice position. And then has just proven time after time, that his skills can add value in cyber. And he is doing incredibly well. And a quick read. It's just inspiring to it's even it's bettering the people who have 10 or 15 years experience because they're like, Oh, whoa,
he brings all this other maturity to it to write all this other just work life experience.
Yeah, that's great.
And I've seen that story time and time again. Anyway, without getting into all the details, I've helped a lot of people help themselves. I think is how I would say it. They just needed the guidance, whether they're law enforcement, military I do a lot of work with women in cyber [00:26:00] security, helping them get past that first interview, because half the time that's half the battle is how you even get the interview.
And when I see that someone has that spark, when they're lit, and they will do whatever it takes to get in. That's where I'll carve out time and I'll invest in them to, to help wherever I can, it's been super rewarding.
I will leave it there. Matt, thanks so much for being on the show today.
I really appreciate it. looking forward to seeing you again. I hope our paths cross soon.
Hopefully soon. Thanks Drex.
That's a wrap for this episode of Unhack the Podcast. Do me a favor and share this episode with your peers. And by the way, your feedback matters, so please subscribe and rate and leave a review wherever you listen to podcasts. I'm your host, Drex DeFord. Thanks for spending some time with me today. And that's it for Unhack the Podcast. As always, stay a little paranoid. I'll see you around campus.