This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

[00:00:00] it takes 62 minutes for a threat actor to fully get that foothold in and out data out and everything. So, we're going to be very stringent on you see it, take care of it, and then we'll regroup,

Introduction

Hi, I'm Drex DeFord, a recovering CIO from several large health systems and a longtime cyber advisor and strategist for some of the world's most innovative security companies. And now I'm president of This Week Health's 229 Cyber and Risk Community. And this is Unhack the Podcast, a mostly plain English, mostly non technical show about cybersecurity, and RISC, and the people in process and technology making healthcare more secure.

And now this episode of Unhack the Podcast.

Hey Everyone. I'm Drex and this is Unhacked the Podcast. I am super lucky today to have one of my really good friends, Steven Ramirez from Renown. But Steven and I have known each other for years from other places. And he's going to be helping us [00:01:00] with one of the 229 summits coming up in Phoenix.

I don't know if that will already have happened or will be in our past by the time this airs, but thanks for doing that. So good to see you. How you doing?

Good to see you doing great. So just getting through foot and a half of snow out here in Kentucky. So I know all the Reno people laugh at me cause that's a walk in the park for them, but you know, we, we just got through all of that.

So we're making it,

it's interesting. We live in this kind of new. Interesting world to write where you live in Kentucky, but you work in Reno and I know you go out on a regular basis and see the team and but that remote work model is, I mean, we're going to go all over the place to talk about a bunch of stuff, but that remote work model continues to be something that you all embrace.

Out there at Renown

we do. I go out once a month now we just kicked off our strategic plan. So we have leader forum every month. So it's an in person event and then our VP strategic meetings. So we all have our strategic key imperatives that we're partnering [00:02:00] on. So it's great to go, you know, see everybody face to face, but you're right.

Everything. So go, go, go that we have, you know, we all. You know, text with my CIO, my COO, you know, we're always doing teams that it's a very go, go, go society. So I think, you know, it's really good to have that level set, but there's some jobs that I feel makes more sense to be onsite. We have like a lot of our operational leaders there, obviously from a IT perspective, but yeah,

that

makes sense.

Yeah, I can stay out of the way a lot of time. So. Just help people get the work done and, you know, just do what I need to. And of course, with the, the time change be up a little earlier to get things kicked off for the team. So, yeah,

you have a really interesting role too, because I think.

you jokingly, I very seriously refer to you as a CISTO the chief information security officer and the chief technology officer all rolled into one. It didn't start that way. You want to tell a little bit about the story of how you wound up in this role and then you're making some additional changes now.

So tell us the whole story on that.

Yeah, so infrastructure [00:03:00] technology is definitely evolved and I think that's kind of where the industry is going, you know, with the digital transformation, you know, were forced to go one way with covid and now come back to kind of do like.

Stabilization start to modernize and optimize again. So when I started at Renown it's now my three year birthday. So I've officially made it right. That's great. Chuck in the Renown team for three years. So when I started, just was hired on as a CISO again to, you know, rebuild and, you know, really start to do a lot of that Chuck's always been a very cyber security conscious guy.

So,

yeah.

came in to do that. About a year and a half in there was an opportunity through a reorg that Chuck then knighted me the CISTO. So I took over security infrastructure, technology operations, service desk really, you know, soup to nuts on all of that. And it really made sense because again, as we were going through the stabilization point, you know, we weren't doing patching well, you know, there's a lot of security initiatives that actually were moving.

the needle on the technology side. So it's like we were using Radius and a lot of older tech on the MFA side. So we wanted to go to a more [00:04:00] modern platform and use SAML and stuff like that. So there's a lot of natural synergies. So just being able to go through and just have the typical CTO and CISO sometimes would have to get a beer to work things out, but no,

it's worked great. I've done been doing that role for about a year and a half. We put together a lot, you know, our strategic plan together internally for what we're going to execute on both, you know, inside out to make sure that, you know, really delivering to our patients, our community, and, everything is part of our strategic plan.

And there's so much growth in the technology side that and working with our CIO, Chuck, that we decided to branch off a VP of. Data center and network. So very niche on that, because we just did a refresh of our local data center. You know, we have a lot of managed service partners and just, technical debt out there that, you know, we're looking to consolidate, you know, as we go through our strategic plan.

So it just made sense to have another leader that's been there, done that as we're looking to do that. So I will still remain the [00:05:00] CISTO. So that will stick around, but I'm going to be the front end technology. So we're thinking about the restaurant, the server, the hostess, all of that, the very front facing.

So the service desk, desktop telehealth, operational support, because clinical teams own that. So there's a big play on security on the services that we've known. So that's, you know, a natural synergy on that. We're going to service now this year, like our own instance of that. So I would say a big project on that with some, automation potential.

So there's a lot of stuff I want to focus on from that front end tech. our cyber security road map, which I'm sure we'll we'll dive into as well. That it really made sense to bring in another leader to help support us. So really excited to do that. We're getting in our final stages of candidates for that.

So hopefully we'll have a selection by the time this is out.

All right, well, good luck with that. That idea of having somebody who's. Hyper focused in the back end on the back end about tech debt and what's the best process to consolidate and all of that. I love your thinking on that.

And then the idea that from a CISO [00:06:00] perspective, like everyone's involved in security. Whether it's the technology side or the applications teams, or obviously then the front end, people who are touching the patient, they're all involved too. So that role has continued to really evolve.

I used to think about, because I'm recovering CIO, everything was very CIO centric, right? I used to think about the CIO kind of being the, I've got my finger, in all the pies in the organization. That is definitely what's happening with you. All that going on, you're doing a bunch of work on identity right now. Tell me a little bit about that story.

It's been something I've always been personally passionate about, as you see a lot of these ransom events and cyber events, it's always, Zeroed in on some kind of improper access, external access, you know, MFAs, all of that.

You see his stats now to say like 90 percent of breaches start with an identity issue. So yeah.

Yeah. So there's been a concept out there. It's ITDR. So I know for IT people, that might confuse you thinking IT disaster [00:07:00] recovery, but it's really identity. threat detection response. So it's more focusing in on anomalous activity and behavior associated with that.

So we do a ton of work with our MSP and internally to really put a plan together that we're starting actually the piloting of that right now. So more of empowering the SOC to action certain identity activities. So instead of Drex telling me, you know, as my SOC manager, that there's this thing going on over.

Here and there that's go kill that activity. So, you know, we're going to be very stringent on just like, you see it, take care of it, and then we'll get on regroup, you know, pretty quickly to do that. Cause I just saw I was at a conference last week and it's saying it takes 62 minutes for a threat actor to fully get that foothold in and out data out and everything.

So you basically have. An hour. I know there's always been that benchmark, you know, getting that alerting and whatnot within 15 minutes to be able to action that. So it's like, we have all of this data. We've talked about MFA forever. We've talked about Pam, but I think that that's really just [00:08:00] scratching the surface on that.

So definitely have to give a shout out to, 229 that, you know, for a reference for some various tools that we've been looking at. So we're bringing in. Some zero trust tools, some advanced PAM tools, some, pretty cool technology this year that's going to really help operationalize just telling us something bad's going on, but more just actioning that.

So yeah,

So a lot of those tools are good process tools that help you clean up things and manage things and feel more comfortable that you have good processes, but it is the, you know, speed is everything. Right now, like from the time you detect something to the time that you shut it off or stop it or remediate it even as much as you can compress that down, because like you said, 62 minutes was talking to, our friends at CrowdStrike the other day and they were.

They're about ready to come out with a new global threat report. And you know, they've compressed that time down. Some of the shortest breaches that they've seen are in the single digit, minutes from the time they started to the time they were [00:09:00] in. So it's, you know, speed is everything. want to hear more about that. I think we're,

we're super excited. So it's like really pulling together a lot of. Different technologies, obviously from the end point, we all know, you know, EDR technologies, CrowdStrike Sentinel ones of the world are investing in that identity. So, I mean, that's.

Brilliant, because again, the more we can do on the end point before it gets to our no crown jewels and active directory and everything. So really that layered defense that we've always talked about throwing in a little deception as well. So we're looking at doing that as well. My whole reference is again, I'm a big reference guy.

Like can we drop a couple twenties outside the bank to slow the guy before he comes in? Because again, time is of the essence. So yeah. If you can

sandbox them out or something, get them interested in something, you know, honey pot them or whatever, and kind of get them interested in something else.

And I think that's a very underutilized technology. And I think this is a great opportunity to do that as we're looking specifically at identity. So we're really excited to do a lot of that. Our partnership so it's, [00:10:00] you know, it takes a village to do this because again, just my internal teams are working with a lot of day to day stuff.

So this is really cutting edge stuff, bringing in a ton of telemetry, a ton of different stuff. So we've really leveraged. Really the phrase prepare, fortify, combat that's their mantra. So again, that's not Steven's mantra, but that's their mantra for how we're going to tackle a lot of this pieces.

So like knowing our adversaries, getting threat intelligence, going through and having, you know, AD hygiene going through and like kind of these core fundamentals that we should have now in 2025. And then now, how can we start to combat some of that stuff? Instead of telling us something's going on, how can we, automate and do a lot of that stuff that again, leveraging SOAR, leveraging AI to do a lot of that's where I think AI can do some good for us on some, simple use cases like this.

So we're really excited to, really take that. That to the next level because we're just kicking off again, our three year roadmap right now identity is one of our key pillars and looking at that deception and automation this year and then [00:11:00] just Chuck and I've been talking a lot we actually had a great discussion the other day too, that it looks like the paradigm shift too is going into cyber resilience is a big word, like Because we know a lot of this stuff's going on, even, you know, if this secret sauce stuff I'm trying to put together that doesn't make you bulletproof.

So how can we be resilient as an organization, with. Immutable backups, you know, architecture, that's where it helps being the CTO as well, you know, and a lot of what we had put together for, our strategy and, look forward to partnering with our new leader that comes in as well

for

that as well.

But we've really narrowed it down to alerting, prevention, blocking, isolation, and then recovery resilience. So that's what Chuck and I are just trying to, again, make that down because I'm from an education standpoint, awareness. metric standpoint, again, that it makes it easier instead of us trying to do, like the performance goals were great.

We're sharing like 10 key areas of focus on. That's great. But that's probably better for more our technical audience GRC. But if, this is Chuck's going to president's council. We're going to our [00:12:00] board. We're doing GRC committee that, more having that boiled down version to say, this is.

What this is specifically giving examples.

Yeah, that's awesome. And I mean, it rolls right into my next question, which is as you, because obviously you're making a ton of investments and you're spending a lot of money, but you're also doing a lot of simplification in the same motion, right, to spend less money and make it easier to manage, how do you justify.

What you're doing to the board and other execs who may be largely non technical, but you still have to kind of help them understand the investment. What's your secret?

Well, I've been lucky at all the organizations I've been at to have a very security conscious. Leadership team and CIO as well.

So if it was sunny at UofL, you know, he was great at helping Garner in the fundraising and everything that we know, you know, we need to get that done. And then of course, Chuck, you know, Chuck, I always say I'm sometimes a deputy. CISO because he's so security focus and strong [00:13:00] and he's always championing that.

And it, it makes my job easy. So it's like, we're just very tasteful and tactful and what metrics we give to like our executive leadership and then the board. So at Renown, we have a governance process. So all the CEOs direct reports Chuck presents. Anything it related through an SBAR process, so,

Hmm,

great.

I put together a security sbar and our thought process is always, instead of just doing a year, we need to show the bigger picture on, you know, where we are today from a maturity and where we're going over the next three years. So he takes that up through President's Council and helps, secure funding and then I take it on a.

Through our committee structure. So we have operational compliance, our governance, risk and compliance audit and compliance steering committee of the board and all of that. So , that's a quarterly basis, GRCs monthly, and we go through and again, give metrics, give data what's going on on the news, what's Renown doing to do this.

So it's a continual education process using examples. I know Netflix is coming out with that. Show [00:14:00] zero day. So it's like, I'm going to share that like guys, like just go, I know it's not all going to be cyber related, but the whole premise of the, mini series is going to be a zero day attack. So it's like just giving you some more entertainment to understand cybersecurity and the backend workings to that.

So just stuff like that on, on educating, but I've always been lucky. It's not been, obviously can't go crazy, but ROI perspective. It's been fairly easy to just justify the what and the why with just continuing deliver value on keeping us out of the paper. I think it's the biggest thing on delivering on our mission that our executives know that this threat isn't going away.

You know, we have an internal risk process that cyber security is always. Ranked the number one organizational risk. You know, they see it through cybersecurity insurance. We've obviously, you know, but on the downtrend on that, just on our investments on that, so it's, you know, kind of those soft costs that we can impact with what we do.

Your investments in your

engagement. Organizationally has had a positive impact [00:15:00] and am I saying that right? It's caused your cost of your cyber liability insurance to go down.

Correct.

All right. And then

it's, you know, it's always a question, you know, when we do bond rating and stuff like that to have a packet.

So

huge

having that ready for our, financial team, if they ever need it. And then accreditations, Beginning of the year, we're going to get all of our specialty pharmacy, all that other stuff. So it's always important to have that have a lot of this different pieces in place that the regulatory landscapes always, , can be hot or cold, depending on who's in Capitol Hill, as we're seeing on regulation, but really, again, what we've always said is that our primary focus is our operational continuity.

That's why we make investments in our program. The secondary is again, class action lawsuits. As soon as something happens, you're going to have those lawyers after you. And then obviously the regulatory side, very important. So, three people that are going to be on your back almost instantaneously as that happens.

So if there's any deregulation, we just self govern and that's two people I have to worry about. So it's never, yeah, it's never going to be like, A day you can [00:16:00] take off, let your guard down. And it's really just keeping our methodology to really adhere to our structure and our mission and values and our strategic plan.

So it's very easy to say, this is where we're going. And cyber being like a imperative to really support all of that, especially the investments in technology. So they get it. So it's been easy to just, get the ROI just to, you know, show the value that we're doing on protecting the organization,

and training and awareness. So

You make it sound easy. It's not very easy. There's actually a ton of work. I know that goes into what you do to make it to the folks that you have to move into your camp. Executives and board. There's a lot of work that you have to do to figure out how to speak their language and help them understand and not make them feel dumb too.

You can't talk down to them. So there's I know you make it look easy, but I also know it's not easy. So great job. love watching some of the stuff that you and Chuck are doing out there because it really does set up. Kind of a benchmark for the [00:17:00] rest of us. In all of that you ready for the lightning round?

all of that stuff or in anything else, what's your favorite metric? What's the thing that , you track you know, closely.

Well, phishisng was always one of our favorite. We went to a great. New tool. It's like the CrowdStrike of phishing. So it's always cool to show the level of that on who the top target is.

Like almost can be a competition when, you know, we're sharing it to that. Oh, look at our CEO was most targeted. Now this time it was our CMO. So they love to kind of see that data, but also thwarted attacks. You know, there's a lot of information we can get out of EDR. I think we've done a great job in vulnerability management.

So not a lot of organizations have that dissent it's more. We're leaving the airport. So we've done a great job on that. So I really think that they love seeing that as well. But that's great question as well. Because this year, that's one of my goals with Chuck actually to put together a meaningful dashboard of that because that's so hard.

It's like we go to these events, we go to conferences, you know, and a lot of, you know, my colleagues I talked to, like, how can we get [00:18:00] meaningful metrics that, mean something to the business. So I'm going to try to focus on like security posture because we're making a good investment in, technology, like threat intelligence, like how can I more boil that down to make sense to dark web monitoring, etc.

Our compliance, of course, risk management, and then the resiliency. piece. So I'm going to really try to get some key metrics to that on like endpoints, you know, systems that we've done DR for, you know, et cetera, really see go, it's probably going to be a few iterations on, does this make sense to you?

Does this make sense for this level? So really excited to start to dive into that with a lot of the data we have. Nice.

It takes me on another route to, when you talk about resilience, I know we talk about it. The technology stuff that we're running resilience, but then there's all the business continuity stuff Are you responsible for business continuity there too, or I'm not sure responsible is the right word But

Renown's great on that.

We Solve a lot of things with committees. So we have a disaster recovery committee disaster recovery, business [00:19:00] continuity and emergency management. So at our organization, emergency management owns continuity and those operational recovery plans. And we own obviously the recovery of the system.

So, you know, obviously we know like epics are core. EMR, radiology, all of those systems. So have those thresholds from BIAs on ensuring system uptime, but our emergency management group does a very good job of that. So with a lot of the technology changes that I spoke to, we partner with them. Our downtime planning is amazing.

So like we go through and we go through, it's almost like many incident commands. that we do for every little event. If it's like a closet refresh, if it's a core upgrade. So they do a great job of really taking that by the horns using the HIC structure. So again, that they know it's going to be something

that

interrupts that pulling in our nurse manager, you know, our executives on call.

So I have a very great. Process for that kind of stuff. So that makes me feel warm and fuzzy that if we ever have some kind of event that we're, you know, battle tested on, you know, [00:20:00] knowing our functions and incident command, so,

That is one of the hardest things I think for a lot of organizations right now is the business continuity, that practice during day shift, that kind of understanding that the plan to be out for,

an hour is not the same plan that you have if it turns out that you're going to be down for 30 days. And what do you do? And it's sort of thinking about all that because they're all busy. Everyone's busy. And so taking time to do that takes a special effort. Speaking of being busy We're all pretty busy when you get unfocused or you feel overwhelmed.

This is a personal question. What do you do to kind of hit the reset button? What's your process?

Well, when it's not 20 degrees outside, you can ask my team that sometimes they'll just hear me walking. I'll take my dog for a quick walk. If it's just a one on one with like my manager of cybersecurity or it's a my contract manager, you know, various team members, that it's just more of those one to one things anyway.

So it's just going out and getting some good old fashioned fresh air and [00:21:00] sunlight. I think that's really a good way to help. Wind things down. And of course doing workouts in the morning, , as a CISO and the T part as well, you never know what's going to happen that day. So getting that out of the way early really just gives you the energy to keep doing that and take care of yourself too, because you've

been running a ton.

Yeah. I have my little Peloton right over here. Thanks. I don't know if she's trying to tell me something. So

mine's right over there. What is your Peloton? What's one of your, what's your favorite thing? What just in general, what's your favorite thing?

I love the 20 minute. runs because you can go a little bit faster.

I ran track back in high school. Let's see, never made it to the pros, but you know, still very passionate about that. So the 20 to 30 minute classes really just love those. Cause it helps like motivate you versus you just doing a run on yourself. You could cheat. So it's like very competitive. So if I see, Oh, Drex, Drex or Wes are right ahead of you on this board.

Man, I got to step it up. So yeah, I love it.

There's a lot of folks who are thinking about getting into the [00:22:00] cybersecurity business, young folks coming out of college or coming out of some kind of training. What's your best advice for them?

You don't have to have cyber security experience to be successful in cyber security.

I think as an industry and that's something, , with our partnership with you and our that really something I'm trying to look at if we can do better is getting in more interns so people can kind of see where their niche is. Yeah, because there's so much to do it when you say cyber security that can be GRC, that can be resiliency that we've talked about security operations.

So it's like really understanding, do you want to be the guy at the keyboard? Do you want to be the guy that's, creating the metrics or do you want to be somebody that's like really doing some of that resiliency planning? So I think having that it's easy to jump into, it's a very evolving.

We're going to see a lot more investments and opportunities in that. So just, if you want to get into cybersecurity, just get a mentor. And then don't be afraid to apply to something and be creative and the description of your background, because you know, from talking to a buddy that's, [00:23:00] CISO down the road from me, he hired a elementary teacher to do his training and awareness.

Like. Think of somebody and even cyber is not a terrible

idea, right?

So it's like his whole premise on that. And he runs one of the better training and awareness programs anyway. So it's, and I think that's all at that core, like stuff that's entertaining and that makes sense to the non technical opportunities like that.

Or I think an accountant would do a good job at forensics I think that we need to do a better job of just instead of blanketing cyber security going out and just having discussions and people should never feel like they're not qualified because there's always a job that somebody's done that can be valuable to cyber security.

So.

I've talked about this before. Some of the best people I've ever hired into project management are bartenders, right? Like they were bartenders in college, or they've been bartenders as a side hustle or something, because you got to manage money and talk to people and, and juggle 50 things at the same time.

Remember drink recipes. Like I like that idea of just bringing in interns too, [00:24:00] and just letting them go through the rotation and. Maybe the thing they were thinking about isn't the thing that they fall in love with, and that's exactly what you need at the time, so. Yeah, that's great. We're all kind of wired in health care, I think, to say yes to everything.

We're asked to do a lot of things and help with a lot of things. And we always say yes. As I've gotten older, I've, I say no to more and more things because I think I've started to understand that, I build in a system that starts to overwhelm, you know, anything that I can do.

You continue to progress through your career. I know that you've also thought more about this idea of like, I have to say no to stuff. What's one of the things that you're saying no to in 2025 that Maybe freeze up a little more cycles for you to do the stuff that's really important.

Well, I guess it's a double edged sword.

I'm really excited that full conference schedules are back because we didn't get to do that for such a long time that I feel like excited that HIMSS VIVE and all that stuff's coming up. But you got to have a good [00:25:00] balance. Between going to that, staying relevant, building your community and friends that you can bounce stuff off of.

I think you guys do a great job of that. , just in the things that you guys set up. But yeah, just. Not trying to do too much to just burn yourself out. So even on the personal side, something that might seem like it's fun balance, especially now being married, I've got to remember that I've got to cut down more on, you know, my job is already, it takes nine to 10 hours a day.

So I don't want to, got to make sure that I keep the wife in mind either to an event I can bring her to, or just not say yes to as many, we're going to be super busy this year a lot with, we detailed we're doing anyway. So, and also just saying focus not trying to. Let anything deter what we're doing.

We have our plan that stick to it. So staying away from the shiny brand objects.

I mean, that is a thing too, right? We used to have this sort of sign on the wall that was, these were projects that people had suggested that had gone through the process, but had been ultimately had been deprioritized and we, there was a [00:26:00] sign on the wall that basically said, you know, we were saying no to these projects because you still have people in the organization that want you to do these things.

And they're trying to figure out ways to like. Do a little black operation or something and, you know, get the thing going. And so you sort of have to actively say no to those things. Yeah, thanks. That's A good diatribe on some of the things that you're doing to give yourself some time back.

Hey, thanks for being on the show today. It's always fun to hang out with you. I'll see you in person here shortly again. show probably air for a while, but we'll probably am already hung out by then, but I'll definitely see at the big show the big conferences. And yeah, I really appreciate you being on.

Of course. Thank you. Good to see you.

That's a wrap for this episode of Unhack the Podcast. Do me a favor and share this episode with your peers. And by the way, your feedback matters, so please subscribe and rate and leave a review wherever you listen to podcasts. I'm your host, Drex DeFord. Thanks for spending some time with me today. And that's it for Unhack the [00:27:00] Podcast. As always, stay a little paranoid. I'll see you around campus.