This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

UnHack (the Podcast): Creating Security Ambassadors and AI Ethics with Chase Franzen

[00:00:00]

Introduction

Hi, I'm Drex DeFord, a recovering CIO from several large health systems and a longtime cyber advisor and strategist for some of the world's most innovative security companies. And now I'm president of This Week Health's 229 Cyber and Risk Community. And this is Unhack the Podcast, a mostly plain English, mostly non technical show about cybersecurity, and RISC, and the people in process and technology making healthcare more secure.

And now this episode of Unhack the Podcast.

Drex DeFord: Hey everyone, I'm Drex, sits on Hacked the podcast lucky enough today to have Chase with me on the show. Hey, chase.

Chase Franzen: Hey, Drex, how's it going? Happy to be here. Looking forward to the discussion.

Drex DeFord: I think it'll be fun.

You have a really interesting background compared to a lot of CISOs. So here's my question. At some point in elementary school, when you were growing up, did you say, you know what I wanna be when I grow [00:01:00] up? I want to be a CISO in healthcare.

Chase Franzen: I think if you would've asked me, I would've said that I wanted to be a fighter pilot. In the Air Force. I do now fly airplanes. So I've been lucky enough to pursue some of that. But I never did get into the Air Force. I grew up I like to think that I spent most of my formative years trying to, escape technology and not be an IT nerd only to over time realize that, man, I'm an IT nerd. Like I love this stuff. And I would say that was most of my background is what were you

Drex DeFord: trying to escape? What was the escape part?

Chase Franzen: So when I was in middle school to early high school, my family moved to a very small Caribbean island where there was nobody my age on it. I didn't have very many friends. My mother would not let me play video games. She told me to get outside, but we did have a computer and I had to learn how to program to [00:02:00] make my own video games and kind of, tinker it around like every other tinker out there.

And I like to break stuff and put it back together. And was kind of, forced to do the it thing out of kind of just not having much else to do on this tiny island. Ended up moving off of the island and I, wanted to go into college for business marketing, wanted to do kind of a suit and tie thing and then.

Kept coming back to it because that's what I was good at. I'm a tinker. I again, like to break things, like to put things back together, have a weird varied background from there. I like to. Joke that I have career and hobby ADD. So I've done things like I was in real estate and had a general contractor's license.

Oh, I didn't know that. And a little bit of an electrical license. Yeah. I was a college professor for almost 10 years. I owned a restaurant for, we actually just closed it about a month [00:03:00] and a half ago. Owned it for 18 years.

So kind of other things outside of tech. But really the passion and the desire to really be a nerd has come back and back. And so here I am. This is the calling. I don't think I'll ever be able to leave technology no matter how much I might like to you

Drex DeFord: you didn't start in healthcare though. Your background No. Around security started in other industries.

Chase Franzen: Yeah that's absolutely right. So, I went to school for economics, political science thought I wanted to be an attorney changed directions, went and got an MBA in finance.

And most of my career has been in banking, finance, a little bit of retail. Sharp healthcare is the first time I've ever worked in healthcare and. I will tell you, and most folks can probably back me up on this, that have worked in other industries. Healthcare is a very interesting beast, especially in the world of [00:04:00] cyber.

Drex DeFord: Yeah, that might be the understatement of the whole

Chase Franzen: interview.

Drex DeFord: Yeah, for sure,

Chase Franzen: for sure.

Drex DeFord: There's a bunch of stuff I wanna ask you about. Some of it is probably obligatory stuff that I'm gonna ask you about. becuase if we don't talk about people say, how did you not talk about that? Well, let's start with I know October is still a ways away sort of cyber cybersecurity awareness month, but.

I know that you have some really cool stuff going on with cybersecurity awareness. Tell me that story. Shauna Hofer at St. Luke's in Boise is like, you should ask him this question, so we'll start there.

Chase Franzen: Well, that's awesome. And thank you Shauna for throwing that out there. Shauna and I have talked a lot about this and she's one of my best friends in the healthcare cybersecurity world, so really appreciate the amazing community, that we have in the healthcare cyber world.

So Shawna and I have talked about this a lot, but I think we're doing a [00:05:00] few things that are a bit unique in the kind of cybersecurity training and awareness area. So, Drex, like you said we've got the big October cyber awareness month coming up, but I'll throw my kind of cheesy plugs out there right away.

It's not just October that we should be caring about cyber awareness, right? This is a year long activity. I'll say the first thing that I think is important from a cyber awareness perspective is. That it should be fun. All too often I think cyber departments are viewed you run into, somebody in an elevator, in a hallway and they find out, oh, you work in cybersecurity. And inevitably they go, oh, you guys are the ones that send me the phishing emails. Right. And I think all too long we've kind of, we've laughed about that as you know, as cyber practitioners, but. That's not what they should be saying, right? That's one like itty bitty tiny piece of what we do.

Cyber [00:06:00] education should be way bigger than phishing campaigns and teaching folks not to click bad links. So it should be fun. It should be year round. And it should be attention getting. So, I've mentioned this to people in the past, but our leader over cyber training and awareness Peter Lopez-Perez great guy.

He comes from a very interesting background. So we talked about my background. He's an even kind of more interesting background. He's a shrink. right So he is a marriage and family therapist. We brought him in with the idea of at the end of the day. The content cybersecurity can be taught we can teach you anybody about cyber safe practices.

The difficult part is like, how do you appeal to people? How does human behavior work? How do you meet people where they are? How do you make it [00:07:00] applicable to them in their daily lives? And Peter is fantastic at that. So the first thing that I think we do differently is just take a different approach, right?

We're not trying to shove, cyber nerdy technology, words and concepts down people's throats. Yeah. We are meeting folks where they're at. So targeted training. One of the things that we do really well in anticipation for October coming up here. We have quarried leaders around the systems.

Hey, what things you've seen in the news about technology, about ai, about cyber that are confusing, that are interesting, that are maybe sexy or maybe scary. How can we, from a cyber perspective, help with that? Do you want us to come to your groups, to your huddles, to your staff meetings and tailor education around these topics over the course of the next couple of [00:08:00] months?

And we've gotten phenomenal responses about that because not only do we ask, but then we actually do it. We're not coming to these teams with just the same crap that we've regurgitated a million times. Right. Here's the stock PowerPoint

Drex DeFord: deck. I'm gonna tell you this. Yeah exactly. You heard last year at this time.

Yeah. This's great.

Chase Franzen: Yeah. We'll come and we'll talk about kind of what they've seen, what they've done the fears that they have and tailor it to them. Secondly we have a really successful cyber ambassador program. So we're in our second full year of this, our second cohort.

Our first year's cohort had, and this is completely voluntary, right? We had 400 people in our system. We're a 20,000 employee health system. We had 400 people that signed up and said, I'm interested in cyber. I wanna be an ambassador. And we put them through a series of, I think it was 12 educational sessions where [00:09:00] we taught them things.

That they can then go, was that

Drex DeFord: in person or did you do this virtually? How did you.

Chase Franzen: It was hybrid. So we did some in person and some virtually. And they would come in and they would learn things that were interesting primarily that would then start conversations. So for example, we had one of our security analysts that showed how lock picking works.

And as you might imagine, people are like, oh my God, this is crazy. We did a. How a cyber attacker does osint, right? How they do open source intelligence and then crafts a phishing email to include how do people spoof email addresses. We did one around deepfake, so these concepts where. From a non-technical perspective, we kind of pull back the curtain.

And show you how do the hackers do it. And that's really interesting to folks. But it starts a conversation and then we kind of end it with the [00:10:00] educational component. This is what to look for if we could tell you to bring one or two or three key salient points to your team, this is what we want you to tell your team.

And so that's been super, super successful this year. Our cyber ambassador program is even bigger because the folks that were part of it last year said, this is one of the most fun things that I did in my month. And it's also really interesting and we learn a lot of really great stuff. And so just that kind of, viral nature of people talking about it has been really successful for us.

And then maybe well, lemme ask you a question. Yeah.

Drex DeFord: So you, so you've got 400 cyber ambassadors.

Chase Franzen: That was last year. I don't know, I don't know what we have however many year,

Drex DeFord: right? This is good. This is a good problem to have.

You're teaching them courses, but you said like 12 courses. Should I interpret that to mean like one course every month you set 'em down and sort of teach 'em something and then they go out and evangelize that for the. For the [00:11:00] month.

Chase Franzen: That's spot on, so, okay.

Got it. Got

Drex DeFord: it.

Chase Franzen: So, so, so once a month we drill down into one area. It's usually an area that, is either super important to our current program something we're working on, something we're trying to affect change in, or something that is hot, that, that has affected maybe other health systems, a recent cyber event or something that is in the news.

Right. So. AI and effective AI, on cybersecurity has been a topic that we've gotten a couple different sessions from, but you got it once a month 12 months. That's how it works.

Drex DeFord: I wonder sometimes it's even the stuff that affects them and their families personally, right?

Because that good cyber hygiene at home then becomes good cyber hygiene at work.

Chase Franzen: That was one of the most successful sessions. I actually think we did two sessions on. It was. Forget about the workplace. Let's talk about home. And as you might imagine, inside of that session, we got dozens of [00:12:00] the, Hey, my elderly grandma got this text from the IRS, my, husband got this email from Norton Security saying that they overcharged him, we got this type of phone call.

So a lot of those different examples in talking about. Home cybersecurity and scams and how pervasive the scamming kind of industry is.

Drex DeFord: This is all really interesting because I was reading something and then talking to somebody about this the other day. Their organization was in the throes of a cyber event, and one of the distractions that the bad guys used was that during the cyber event, they found one of the analysts and they created a situation at home for the analyst, which took the analyst out of the game.

Right. Because now they're dealing with this home. So yeah, absolutely everything. Absolutely everything connected to everything else.

Chase Franzen: Super sophisticated. Yeah, it sure is. Yeah. Yeah.

Drex DeFord: You said it, so we gotta talk about it. Let's talk a little bit about AI and what's happening with AI and [00:13:00] cybersecurity and what you're thinking about it.

Chase Franzen: Yeah. I go back and forth on ai. Seemingly daily right now. I'm, like many of us, super excited about the kind of potentials of it, especially in the world of cyber. I think about how, gen AI can increase the amount of visibility that we have. In a security operations center.

I think about the implication on something like, phishing emails, right? And understanding the nature of an email gen ai, reading an email going, eh the goal that this person is after is not, something that is good. It's nefarious. So I think we've got a world of benefit.

But I'll be honest, Rex, I am super fearful of the ethical implications of [00:14:00] ai. I'm worried that we don't have good oversight, discipline and I'm not talking about sharp right now, by the way. I think sharp healthcare, just generally and I can talk a little bit about that. We, I think do an above average, a good, a great, in some cases job at AI ethics and oversight.

But I think as a nation as a people, i'm not sure that we've figured out how to have effective oversight. It was interesting that I was listening to a podcast just this last week with a person that I won't name on it who has been in the news a lot talking about his AI technology that he's got.

Talking about how powerful it is and how much smarter it is than, the smartest researcher that spent, 12 years at Stanford in a singular topic and how, this AI is even smarter than that, but it's smarter than that in [00:15:00] every possible discipline. And I look at that and I go, gosh is that.

What we want and need, and have, we set up boundaries that can be enforced. And beyond that, I worry about the environmental, the really real ROI on this stuff. So, again, economics background. Yeah. This stuff is super expensive, from a power perspective. Power consumption. Yeah.

From a, distribution perspective, from, just a land use perspective, are we really recognizing. The full cost of creation and ownership of this. Or are we just, to coin Milton Friedman's term? Or are we just being irrationally exuberant about it? Sure. We can do it.

Let's do it. Sorry, I just went down a little bit of like a philosophical, this is how I'm feeling, but it's, it is both scary and [00:16:00] great. Right? And anybody that says otherwise I think is lying to themselves. From a cyber perspective, I'm of course very concerned about, the deep fake possibilities.

I am concerned about how good of a social engineering campaign AI can write, right? Like, AI is way better at, at writing an email than me. Gone are the days of, look for bad spelling and bad use of branding and, extra spaces and extra line breaks like it is. You can

Drex DeFord: sit down in GPT and say.

Can you write an email? Here's what I wanted to say and I would need for you to write it as a native English speaker from Indiana who has an eighth grade education. And it can That's right. Print that out for you. It just doesn't matter that all those clues doesn't matter, like you said we used to look for, they just don't exist.

Chase Franzen: That's right. So I think that, we are in a very interesting time. Changing rapidly. Ev every day is something new, some new [00:17:00] capabilities, some new LLM, some newgen feature. Trying to keep your hands around it is super challenging at Sharp. I mentioned our AI ethics and oversight committee.

So everything that has true AI in it has to go through this committee. I'm a member of it. It's chaired by our CMIO. Mm-hmm. Has clinicians in it. It has technicians in it. We have our diversity and inclusion officer as part of it. We've got of course, legal, et cetera.

It's a great multidisciplinary group. And really we are looking at not only the ROI of this stuff from like a true, complete cost of it but we're also looking at the ethical implications and really figuring out like, is this the vendor that we want to do business with in these very critical areas.

Are they doing AI correctly? [00:18:00] So you're tracking, so you're thinking about not

Drex DeFord: just the tech, but also the company. Oh, absolutely.

Chase Franzen: The

Drex DeFord: company reputation as part of, absolutely

Chase Franzen: I think that piece is important, right? Because again we're very early days here.

So it's, and it's not only the company and reputation, it's are they good? Are they ethical? How are they approaching these very difficult kind of philosophical conversations? And thoughts about ai. We're tracking. We have approved over 30 ai capabilities at Sharp, and we're tracking over a hundred right now that are in use at Sharp.

To give you just a little bit of insight into the magnitude of this at a health system like Sharp.

Drex DeFord: Yeah, The amazing part is that we use a lot of software as a service partners today. And on Thursday when you go into the application, there's a new, click here to use AI button that nobody knew about, you didn't know about and didn't approve, but now it's just part of the application. And so people do things in good hearted interest [00:19:00] of just getting the work done, but they wind up exposing data. They probably shouldn't expose or do something they're not supposed to do.

I'm with you. I'm a big, I think back. It was only three years ago or something that we started with ChatGPT, like that. It's still like a little tiny baby. Just announced. I think it has the valuation. Yesterday, maybe I read something. Half a trillion dollars. Incredible speed. Incredible growth.

The more they know, the more they figure out how to do and not just that. Yeah, open ai. Company. But but all of them,

Chase Franzen: And you look at that, so three years you look at the hockey stick and you go, what is that trajectory look like as it's a really both interesting, fascinating, exciting and scary at

Drex DeFord: the same time,

Chase Franzen: thought where are we five years from now?

It's

Drex DeFord: Where we were in January and what we're doing with deep fakes. I don't know if you've seen. I do this show called UnFake now [00:20:00] too, and a lot of it is round, deep fakes, and I've deep faked my own voice. I've, I've done some other stuff too, and it's just, it's amazing.

Like every month there's something that's. 10 times better than the thing we had last month.

Chase Franzen: It's funny you mentioned, you deep faking your voice. One of the things back to the cyber training awareness, how do you get people involved?

So we do. The yearly mandatory compliance in cyber education that everybody does. But we this year we revamped the whole thing. We actually, just yesterday I was in a meeting where I had somebody tell me that was the most fun educational, like, forced educational course that they've ever taken

at Sharp. We put a lot of care into it, and it's generated a lot of. Interest and messages to my team, Hey, can you tell me more about, X, Y, Z? But one of the things that was in that video is my team took a YouTube video of me speaking at some conference, right? Two minutes. Created a deep [00:21:00] fake.

And then inside of the course was a, which one is the real ciso? Is it, this chase or is it this chase? Oh, I love that. But drex that was based on capabilities that we had, seven, eight months ago. You do it now. Oh yeah. And those little things where like my team could tell which one the real chase was because the intonation of my voice, little cues were not right, but like.

We did one just last month, and it's, man it's, it's a lot better, lot better. lot better.

Drex DeFord: There's some amazing, it's tech. You can feed this stuff in have the fake and then you can do things like punch up this line, be more emphatic or, be less emphatic about that line.

You can tune it for emotion on certain. Yeah. So that you can really tune it into, that's how that person really does speak right. Yeah. Crazy. It's crazy. You wanna do a couple lightning round questions? Yeah, man. Do you have a favorite quote?

Is there a a quote? Yeah. From a even not famous person that you go back to from time to time.

Chase Franzen: Yeah I'll [00:22:00] give you, I'll give you two. So one of them I was in TaeKwonDo growing up and I think this is attributable, I have no idea but I think it's attributable to master Meti who was the guy that owned the studio that I practiced in.

But on the kind of wall it said, good is never good enough. And that's kind of stuck with me. It's. kind of sad, right? But it's also like this idea of perpetual, move forward, get better, never being complacent with the what is, but rather the what could be I think is powerful. And that kind of connects to my all time favorite quote is by TS Elliot.

I have a little bit of an endurance sports background, and so, I will write this on my arm as I'm like doing a long distance triathlon and look at it while I'm on the bike. But the quote is only those who risk going too far can possibly know how far one can go, If, If [00:23:00] you are not out there trying to

push, the bar forward maybe at the cost of failure. Yeah. You really don't know how far you can go if you're constantly in this comfortable zone. You're never gonna know how far you can go until you get uncomfortable. And I think that's really powerful and that stuck with me, gosh, almost my entire life.

Drex DeFord: That's great so both of those, I have talked to my teams in the past about they get comfortable with your uncomfortableness. That's the best. You don't have perspective, like, especially I think with endurance athletes. When you ride a hundred miles, when you run a marathon, you get to the point where you kind of go at any given point.

You go, oh, I've been this tired before. But for people who haven't pushed themselves out there, they don't know. They think this is as tired as I can possibly be. Yep. Or this is as dirty as I can possibly get. Yeah. I remember one time I was deployed and I put my hand on a wall to stand up and when I stood up I left a streak [00:24:00] on the wall.

And I was embedded with some army guys and one of the army guys said something like, well, look, you there, LT, you can only get so dirty before you start to get more clean. And so it's stuff like that, right? Yeah. That you just you wind up sort of figuring it's so good. That's, yeah that, that's good.

I think the continuous performance improvement and always getting better. I love that one too. You talked about failure there. Do you have a favorite failure? Like, I feel like I've failed a lot in my life, but

Chase Franzen: Yeah.

Drex DeFord: But I think the failure has led to like figuring things out, but do you have a favorite failure?

Chase Franzen: , I'm gonna give you one that has nothing to do with cybersecurity or even technology but as you ask that question, it's like, it's the first thing that pops into my mind. So I mentioned that I have a background in real estate. One of the things that I tried to do before I came back to, the home of technology was work in real estate investment and construction.

And I once with a partner of mine. Bought a house [00:25:00] in South Minneapolis in a really nice area of town for a very good price. At auction. It was sight unseen.

I thought I knew which house it was. Right. We were at a real estate auction. This address came up. There was a picture of it. I was like, ah, I live right there.

I know what house that is. Bought it on behalf of this company that my buddy and I had started. And we got to the house. It was not the house I thought it was. And we overpaid for it big time. Oh. And it was in horrendous disrepair. And it was just a massive investment failure, right?

So we way overpaid, we were way in over our heads. It was, the classic money pit scenario right from the movie. And we were looking at it going, gee, what do we do with this now? And what we did with it was my partner and I, we're pretty decent with construction, but like we didn't know every trade in construction.

We just made it our pet project, right? Where we would go [00:26:00] at night and we would be, jackhammering up the concrete floors in the basement and hauling it out in buckets and pouring new concrete. And it was literally. I got the opportunity, and I use that word very carefully, the opportunity to do every trade in building a house.

And it was brutal and it was hard and it took many months and it was way more expensive than we thought it would be. It was in Minneapolis in the winter. I've got pictures of. Like looking like Kenny from South Park, right? All like bundled up inside, like, doing plaster on the walls.

And I look back at that because, yeah, I mean, it was a failure. We, we, We didn't make money. It was way longer than we thought. It'd be way over budget. But it was so formative and I have had the opportunity of, owning a couple houses since then and I can do everything I want now on a house.

'cause how you became General Contractor house, I learned that this is how I became a general [00:27:00] contractor. Yeah. And so it, it taught so much and this is where Chase gets, now cheesy. But it was a ton of adversity, right? That was very difficult in the moment. But it teaches you like any other failure, like any other adversity, life lessons that you would never get from the best business school or from the best certification program that you do.

Sometimes it's just hard fricking work that gives you the most life lessons and teaches you the most, so. That one is just like this thing that's been forever embedded in my brain of like, if I could go back to that moment bidding on that house, would I still buy it? because holy crap, it was still a lot of work.

But it also taught me so much, and I think the answer is, heck yeah I'd do it all again.

Drex DeFord: Mistake again. Yeah. Yeah. Let me back to this uncomfortable conversation. No matter what it is. Yeah. If you put yourself in a situation where you're uncomfortable, this ties to [00:28:00] innovation. It ties to a lot of things.

I think the worst thing you can do is give people just tons of money and say, go be innovative, because they just buy things.

Chase Franzen: Yeah.

Drex DeFord: Versus saying. We don't have money. We've gotta figure out how we're gonna work ourself outta this situation. Yeah. And that creates a lot of really super impressive innovation.

People are really creative. Yeah.

Chase Franzen: Right. Scrappiness is a virtue scrappiness. Yeah.

Drex DeFord: Last question. What's the best airplane you've ever flown?

Chase Franzen: I've flown cooler, more interesting, more unique airplanes. But the iconic piper J-3 Cub is my favorite airplane that I've flown and I'm, fortunate enough to fly one often, but it's very simple and in a world of technology and cybersecurity and worrying that, can hackers hack the avionics and airplanes?

This thing has no computers. It doesn't even have an electrical starter. It doesn't have a battery. You have to hand prop it. It's got [00:29:00] nothing and that's really wonderful. It's wonderful to fly this thing that was built 85 years ago. That is just the essence of kind of stick and rudder flying.

And I think that'd be my answer. That's the most like iconic, true airplane that I fly.

Drex DeFord: I love it. I think that's a great answer. I appreciate it. Hey, thanks for being on the show today. This was fun.

Chase Franzen: Yeah, absolutely. It was a great time.

Thanks a lot. Drex

Drex DeFord: That's a wrap for this episode of Unhack the Podcast. Do me a favor and share this episode with your peers. And by the way, your feedback matters, so please subscribe and rate and leave a review wherever you listen to podcasts. I'm your host, Drex DeFord. Thanks for spending some time with me today. And that's it for Unhack the Podcast. As always, stay a little paranoid. I'll see you around campus.