This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

[00:00:00]

Introduction

Hi, I'm Drex DeFord, a recovering CIO from several large health systems and a longtime cyber advisor and strategist for some of the world's most innovative security companies. And now I'm president of This Week Health's 229 Cyber and Risk Community. And this is Unhack the Podcast, a mostly plain English, mostly non technical show about cybersecurity, and RISC, and the people in process and technology making healthcare more secure.

And now this episode of Unhack the Podcast.

Drex DeFord: Hey everyone. Welcome to UnHack the podcast. It's super cool and really fun because we're doing something a little different today. I've got two folks with me and usually I only have one guest today, two guests. Brian from Lee Health. Aaron from Medical University, South Carolina. Welcome to the show guys.

Brian Zegers: Thank you. It's great. Great to be here. Thank you for the invite.

Drex DeFord: It's always fun to see you guys. We were able to hang out in Boston a few months ago together and [00:01:00] work on some stuff I'll probably talk about that in just a little bit. I don't know. Good place to start.

Aaron what's the coolest thing you're working on right now?

Aaron Heath: For better or for worse, one of the things that you know. I recently took on where some of our network and infrastructure teams that previously were not within the security office. So it's been fun trying to align strategies with them because there's a lot of opportunity to do so.

I think, one, one of the pretty interesting areas that we're looking at is, South Carolina we've got quite a few clinics Freestanding emergency departments some rural hospitals that, they do not have the greatest network connectivity in the world. And they somewhat, I don't wanna say regularly, but regularly enough that it causes some pretty acute problems for those areas. And so we're working on a project to look at different things like satellite connectivity, to be able to maintain connectivity. If they have an outage, somebody digs up

a fiber cable or something like that because there's generally not much [00:02:00] infrastructure out there that can run out to them. And with how, dependent, we are on all of our technology today. We're trying to think of other ways of maintaining connectivity that are a little bit more resilience.

That's kind of a fun one that we're working on.

Drex DeFord: I like that. I mean, it is really interesting, right? When you're in a big place and you have resources and you're in a city or a city-ish environment and you talk about redundancy and having two lines going two different directions outta the data center on different sides of the building and not, rejoining at the same telco building or, so you can build redundancy in, but a lot of these places don't have that capability at all. Do they? Yeah. It's just like one line. That's it. That's all we got. Hopefully nobody cuts it with a backhoe when they're. Planting the new tree or something?

Aaron Heath: Yeah. I mean, it's amazing. We have had cases where we would have maybe backup like, cell coverage to be able to maintain connectivity, they're still running on the same lines as the lines coming into the building. So you. It's pretty amazing how [00:03:00] interdependent our connectivity is, especially in the the rural areas.

So yeah, we're looking to what kind of things can some of the satellite services provide for us?

Drex DeFord: I like it. That's pretty cool. Hey, Brian, what's the coolest thing you're working on right now?

Brian Zegers: , One of the great things we've been able to do is we're calling it kind of a recovering from ransomware initiative.

So it started with off with some tabletop exercises with various groups, but really spawned into some kind of sub work streams where we're looking at, I. All the different aspects of what we'd be dealing with in ransomware scenario from, our capacity for storage and compute to be able to recover to snapshot groupings and timings of backups, right?

You talk with infrastructure, yo we, got snapshots, we got backups, and let's dig into that, right? Like. Do we have this across? What does that mean? What does, well, there's these couple areas where we don't, okay, which systems are those? Oh, well those are key systems. So it's letting us like have a lot of really good in depth conversations and getting all the teams outside of cyber to, especially on the infrastructure side, to think about what would be involved in this process and try to.

Brainstorm as much as [00:04:00] possible pre-event, right? Like I keep just telling them, we wanna talk about this as much as possible before we have an event. We don't wanna be trying to figure this out in the midst of a storm. As much as we can figure it out now, the better. So the organizations really support it and there's probably 10 different sub work streams we have going on from updating our response playbook to offline locations for documents we're gonna need and everything else that really ties into it.

But. I really like that because I think all of us know it's not a simple conversation. A lot of these really start growing into much broader, complex decision making processes and things we need to think about and pulling in so many other teams outside of cyber.

So we've been having that go on probably since the end of last year and most of them are completion, depending on or running through the rest of the year. But it's really helping us in the preparation phase of those events. And it helps us really in overall DR planning too.

because yeah, a lot of this stretches into things outside of just ransomware, right? It kind of, correlates into other big events that hopefully wouldn't be cyber [00:05:00] related. I'm, always hoping it's not a cyber event that causes us to exercise these things, but it's hard to get those conversations going and kind of, keep reoccurring and getting people to stay involved in them. So those are things that have really helped us a lot in preparation.

Drex DeFord: I mean, they get distracted because day-to-day work comes back in and starts to suck up all those cycles. It's really interesting. I mean, so many components of that, like you talked about having hard copies or having an offsite copy of stuff like the contact list and I mean, there's so many things that we have of it.

Yeah, we're gonna be able to get to that. It's on SharePoint, we're gonna be able to get on the common drive. And it's like, oh no, we can't get to the common drive. What are we gonna do? It is crazy, right? Everything's connected to everything else and. That turns out to be a huge deal.

Now I wanna go back to Aaron for a second. Brian kind of alluded to this idea that he's coordinating with all of his technology teams and all of that. You said something earlier that I'm like I'm gonna ask the question again. You said all the infrastructure teams like report to you?

Aaron Heath: Yes. Yeah, we pulled [00:06:00] the, so hosting infrastructure team, networking team, endpoint engineering team. We sort of merged in with the security office. So we distributed some of the roles across those teams. So for example, like I used to just have firewalls, right? Now my firewall team is embedded with the networking team and it's like, okay guys, we've got a really big network project going on and it's gonna include some additional network segmentation using different architectures that are much heavier on the networking side. And so we're like, all right guys, now we got similar outcomes. Now we got things we can work around. Like let's get you guys on the same team because we end up bumping into each other every time there's an issue on the network.

It's like, all right, call network and call firewalls. And they're working together as it is. And now we've just got like really strict alignment with them. So really excited about some of that. Certainly brings in some new areas. That I didn't have oversight for before. But I can't tell you how many times or how often we're finding, like these are things that really things that the CISO should be concerned about, right? Because a lot of the infrastructure teams, they wanna [00:07:00] move fast and they want to do DevOps and stuff like that, but like availability is so important to them. Right? And I'm like, I'm aligned with you on that one, guys.

That's really focused. So it's been pretty interesting and good journey. I don't know if it fit works for every organization, but. We've got some folks that are really jumping in and embracing it I think

Drex DeFord: it's interesting that I feel like I hear more and more often chief information security officers are moving into that what used to be mostly.

Called a chief technology officer kind of role. They're sort of combining those. Now, they may still have like a director of infrastructure and those kinds of people, but a lot of it is sort of de conflicting the priorities and figuring out okay, patches or whatever, right.

There's always something going on. And Brian, you probably see the same thing in the spirit of everything that's connected to everything else on the application side of the house too, right? Everyone's a security person now. Not just the infrastructure guys, not just the folks on your team, but all those apps, people now are security people too.

The biomed equipment [00:08:00] guys, I mean, right on down the list.

Brian Zegers: Yeah. And that's fun, right? Because it was hard enough getting 'em to be IT people some of the times, let alone now they need to be security people on top of it, right? Like app support folks kind of knew apps. They didn't always know the infrastructure.

So, but yeah, it's all interconnected and I think that's really where everything's going right. So much of it is layers above the hardware and kind of virtualization layer now. It's all app and security and processes and integration of all these different systems that's where all the resources are at.

That's where so much of the team focus is spent now. So

Drex DeFord: and software as a service. Yeah. And all those third party relationships, I mean, we can go down the third party road, but I really want to ask you Brian, a little bit about. I feel like how do we do this without asking or talking about ai?

So, what are you thinking about AI right now?

Brian Zegers: I'm thinking it comes up about every day for us. So we started a whole kind of AI committee subcommittee type thing where includes myself and our CMIO and a lot of different organizational [00:09:00] leads and business owners to kind of talk through, because so many people were looking to implement solutions. So at least it gives us a central channel and funnel for these to flow through for us to look at and say, is this really ai? Does this make sense and align with what we wanna use it for as an organization? Of course, does it have the proper security measures around it from my viewpoint?

But it's really coming full speed. , So recently, one of the key topics is co-pilot, right? And we're in the process of doing an evaluation of co-pilot. But the automation of AI is really what scares me, right? Because to me it's that whole RPA the robotic process automation on steroids.

Right. If you start giving AI the ability to just automate and do tasks, right? The next thing is now they're gonna want these accounts to have tremendous amount of access in the organization and no one's really gonna know what it's gonna do. And somebody could easily tell it to do something that we don't really want it to do across the board.

And how do we protect against that? We're like right on that line. because it was generative AI was the big key and [00:10:00] now it's how do we use it for automation? that's where we're gonna get hampered, right? Because before protecting the data, now it's how do we protect our entire network from doing something out of bounds with what we would want it to do.

Drex DeFord: Let's ask Aaron and see what he's come up with. I mean, you're totally right. We see this continued growth phase through sort of like we had Google and then we had chat GPT, which was kind of just like a fancy version of Google. That's how people sort of used it.

But now they've turned these things into agents and they're loading things up there and giving them perspective and then asking them to do particular kinds of work. We're doing a bunch of that stuff here internally too. It's kind of cool and very interesting, and with everything that I do, I'm always like, oh, that's really cool, but my next breath is always like, and oh crap.

What? Unintended consequences are gonna come from that. Aaron, what are you guys thinking about ai?

Aaron Heath: I could not agree with Brian More I mean, we're kind of on a similar journey in terms of, we have a group that looks at new AI [00:11:00] platforms and, the message that I've been given is like, look, to some extent it's no different than anything else, they have certain platforms that are authorized for certain types of data. Here's the sort of controls we put around it. But that, that has been in a lead up to what hasn't quite occurred yet, which I'm very wary of when it does start coming more is more of the automated autonomous agent stuff.

That is where my head is concerned. Because you're probably gonna have shadow aI agents, right? Like shadow IT course that people are using to do their jobs and they give them their identities and who knows what they are gonna leverage them for within our environment.

I mean, heck in the security office, right? We want to use ai. Yeah, we wanna do remediation faster. We want to isolate things faster. We could be the ones who create the disruption ourselves. So like, we need to be mindful of how we're using AI in our own departments, honestly, because we have very privileged access.

We wanna move fast. The threat actors are gonna move faster, but like, dang we're right there with others who could disrupt our own [00:12:00] organization if something goes sideways. So that is where my head is really thinking about what is this sort of next.

Less passive, more active phase of AI start to look like. And that's where I'm constantly trying to iterate and think about how we kind of get ahead of that.

Drex DeFord: Yeah. in my head, this is a little bit like I don't know, change control or something like that where we have processes, but we have humans in the process and we always look at it and say, okay, we got a back out plan, right?

We gotta kill switch on this. If something starts to go wrong, we ask those kinds of questions. So maybe it's kind of,

Brian Zegers: yeah,

Drex DeFord: mentally something like that.

Brian Zegers: and we're seeing a lot of parts of the organization too, kind of say, we need this, we need to get it implemented, but not really a firm use case of what do they want to do with it.

Right. So even on the other side the business and clinical owners don't really know exactly. They just, Hey, we wanna try and, reduce time spent administrative hours and make things faster and more efficient. But trying to squeeze it down to, okay, talk me through what exactly do you want it to do?

What we're not sure yet. It's like, well, oh.

Let's

Drex DeFord: start figuring that [00:13:00] out. At the same time, I think there has to be some room for experimentation and failure. With AI too. There are a lot of us that are using it today. This is like the same issue around the analytics question.

Once you have great data and you have it in a good place and you start to do that kind of analytics with AI or without ai you start to find out things. You didn't know. I didn't know I could ask that question. So now that I know I can ask another question. I didn't even know I could get an answer to that.

AI is kind of, playing in that same space right now. Like I didn't know I could do that. When, if I can do that, can I do this? And the answer may be yes, and then they continue on. But you know, the problem is doing it on live data, on the live network and causing that kind of cascade effect. Yeah. Brian, you've also done some pretty cool stuff on talent recruitment and retainment.

We talked a little bit about that in Boston, but tell me more about where you're at with that. because I know you've made some progress since we were all hanging out together.

Brian Zegers: Yeah, so we got actually about a [00:14:00] year ago, we got approval from the organization to add quite a bit of staffing to our both cyber operations and GRC functions.

So then we had the hurdle of actually hiring those folks. And with the change of remote work, we have some requirements of employees have to be a resident in the state of Florida. Which typically right. Like of most people that wanna move to Florida or people that wanna retire in Florida or ready to retire in Florida

so we had to really figure out as many different avenues and possible options of how do we get people into these positions and so we started really looking at what we call, at least what I call internal poaching. Right? Like, who are the top internal candidates that we wanna go recruit and pull over?

Yeah. The managers might not like it, but yeah, you must be super popular. Well, I think in cyber you need a specific skillset and a specific mentality and an appetite to learn and figure things out, right? Like it's a certain kind of individual that works best. So, and that's not to say that like other folks in it aren't great. They're great at what you but somebody they're not gonna [00:15:00] need prescriptive steps as to what did they do next, right? They're gonna have to figure out problem solvers, this looks odd, this, why is this the case?

And know when to call it and kind of say, let me not spend more cycles on something and go down a rabbit hole. That wastes time, right? Those are. Hard things to do and you also need a good understanding of the infrastructure to be able to do that. So, internal poaching has helped us identify really good candidates and bring them over relationships with local colleges and universities.

So that's something I've kept going and be able to talk to the professors there and say, who are your top students? And talk with the class and offer mock interviews. And actually through a mock interview, we had an individual, one of the students who killed, she did terrific on the mock interview enough to where me and the manager said, I.

You need to apply for this position right now because we are gonna interview tomorrow for it like we wanna hire you. It was just one of those with that relationship that allowed us to find somebody who would just be a great fit for the team. And other communications with other healthcare institutions, right?

Because usually somebody else knows somebody in the area. Oh, I, if you're looking [00:16:00] for this skillset and cloud engineer, Hey, I know somebody that happens to be looking for a job and they're in Tampa or Miami or something like that. So that helped kind of connect some of those, candidates to us to be able to fill those positions.

It's a lot of different avenues that and then at the same time, you gotta kind of keep 'em going and keep those stokes in the fire. because Great. Now our positions are filled. I don't know when the next one's gonna come but I want those ready to be able to, have that pipeline feed in as soon as the next opening comes about too.

Drex DeFord: Yeah. So, internal poaching. Go to the universities and community colleges and ask questions. Work your network. And then the other issue about this is if you have a full team, you also have to figure out how to make them happy about being here and give them interesting work, right?

Aaron Heath: Oh, yeah. think Brian listed out some really good ones. I mean, the thing that I'm pretty passionate about is identifying the people who do have that mindset, right? Or have that drive to want to fix things or figure something out. The cyber stuff, [00:17:00] the cyber fundamentals, we'll get you there, but if you've got the first part, like.

Come on, let's go, type thing. So cyber's a really fun domain for being able to like, introduce people to a whole lifetime's worth of learning and stuff like that. Yeah. You just, you gotta have the right head, coming into it. because it's not for everybody.

Drex DeFord: all right. here's my old CIO tip. When you're in an interview with somebody and at some point they tell you that they were a bartender in college, that person probably has a lot of the skills that you're looking for, right? Relating to people, being able to solve problems, breaking up bar fights being able to handle money, managing

Aaron Heath: a lot of stuff.

Oh yeah,

Drex DeFord: exactly. Yeah. Yeah. So anyway, there that's my tip of the day for you on on hiring good or interesting people. So, Aaron Charleston School of Law. So I'm sure when you went into law school you're a lawyer you went into law school, you probably went in thinking my ultimate goal in [00:18:00] all this is to become a ciso.

Aaron Heath: A hundred percent.

Drex DeFord: How'd that happen? How'd this happen?

Aaron Heath: The long and short of it is that while I was in law school, I started my information security career. And so, I was in law school. I had started working in information security and I started talking to a few mentors of mine and stuff.

They're like, you know what, you, there might be something there. Information security is getting kind of important. And there might be a nice Put these things together. Yeah. The law one day there might be some opportunities there. And so I was like, well, like, it's kind of fun to sort of explore new things and, see where they go.

And so I just stayed really close on information security, stayed close on technology while I was in law school. And eventually once I got out, did some, healthcare compliance work and some telehealth work and some privacy work and information security. I kind of stayed close with the information security office here at MUSC.

And eventually, an opportunity came up that I decided to jump on and I remember getting hired. I was like, are you sure you wanna do this? Like, I haven't my experience in leading [00:19:00] is not as extensive as some of my security and legal background. Like, no. Give it a try.

So I did and I've been doing so ever since then, so it's been a fun journey.

Drex DeFord: Nice Brian? No. Law school? No either. I didn't go to law school Aaron, making us look bad. At some point though, in your career, you were doing something and you got on this path. How'd that happen for you?

Brian Zegers: I got my degree in electronics engineering, so not too much in IT related. Just happened to guys I went to college with, got into it and kind of got me a job in it, and that's how I got started. A long time ago, but moved up throughout kind of managing and directing the infrastructure side of it and, I just found for me, it wasn't challenging enough. It the technology doesn't change as frequently Right. Every big things like virtualization and solid state drives. Right. It's just, that's not all that frequent. So, and the late night calls. So I, Aaron, I don't know how you get any sleep owning.

Security and infrastructure like that, that really wore on me quite a bit. And as I started having a family [00:20:00] and stuff I wanted to change, but security was something of like, every day it's something different. You have to stay on your toes. You have to always be able to strike a balance with the organization too.

It's not always a simple yes or no answer. There's a lot of conversation and back and forth to really figure out what's sort of an acceptable risk. And I like that part of it. And our organization didn't have a security officer lead. So at the time I went to the CIO and said, I'm really interested in doing this.

I would like to take on that responsibility. because he was that person on paper. And said, I'm gonna take this on my current role and at some point I'm sure you will create a dedicated, CISO level role and I wanna be considered for it. Fair enough so that, took the initiative to, to start get into it.

And when the organization said Yes, we need to create a information security officer role, that allowed me to transition over and then kind of move away from also doing security and infrastructure. because fourth time I was doing both.

Drex DeFord: Man, you're right. This is the most interesting. Role in the world.

and I say this all the time because I wanna make sure [00:21:00] people are really clear. I've never been a CISO. I've always been a CIO. I had security responsibilities, but I've never done your job. But having done what I'm doing now for several years, it is the most interesting job I've ever done. There's so many facets.

As Aaron kind of alluded to, that once you're in the path, there's so many roads you can go down and so many new skills you can learn. It's just crazy. Okay, I could go on forever. There's a hundred other things I'm gonna talk to you about. Maybe you guys will come back on the show again at some point, but let's move to

the lightning round. Let me see here. What I wanna ask you guys Brian and Aaron, interesting names. But you probably have nicknames. Maybe you do or maybe you don't. Aaron, you have a nickname.

Aaron Heath: My high school friends call me big A, my soccer coach used to call me thunder lips. I have no idea where that came from.

So there's kind of a laugh for you. I don't know where in the world that came from.

Drex DeFord: That's awesome. Brian, do you have a nickname?

Brian Zegers: People usually just refer to me by my last name. So [00:22:00] everyone refers me is Zegers. because there's so many Brian's always around. Yeah. Yeah. So most of that, or it's always brain.

because somebody can't spell Brian properly in email. Probably once a day I get, brain in an email. But and I don't know, I think probably when I make phone calls to people too, people. Gimme my nickname is, oh, crap. because every time I call someone, like, what did I do? What am I in trouble for?

I'm like, is that really, my reputation? Like I only call when you do something bad.

Drex DeFord: That's so good. I think that's true. When you have a last name like Zegers or a first name like Drex, it's really hard to get a nickname. So I don't really have a great nickname. Aaron, what fun thing are you doing this summer?

Aaron Heath: My family including myself, are headed to Australia in a couple weeks. Oh, wow. So that's gonna be pretty interesting. I've got a 4-year-old that's gonna be on a quite a long flight, so we'll see how that goes.

Drex DeFord: Don't have a 4-year-old, but I might wanna talk to you about your agenda at some point.

Yeah, sure. Australia is the only continent that I haven't been to yet, so I gotta work on that. Ryan, what do you do in the summer?

Brian Zegers: Well actually I just got back from [00:23:00] trip, so I went on a fishing trip to Lake of the Woods, Ontario, Canada, for eight days with my 14-year-old son, my dad and my uncle. So, and we just fished on the lakes there and caught walleye and bass and perch and pike and.

Relaxed sun rose at 5:00 AM and set at like nine 30. So you had, wow, you 5:00 AM to 10:00 PM of daylight to go out on the lake and fish.

Drex DeFord: Yeah. I live in Seattle and I have that similar super ultra long summer experience, but it really stinks in the wintertime because you get the opposite version of that Brian dog guy or cat guy

Brian Zegers: dog.

Only forced to by my kids, but dog. Dog, Aaron? Yep. Dog. You're a dog

Drex DeFord: guy too. Okay. Awesome. Let me ask you about your favorite metric, Aaron. This can be a work metric or this can be, I'm a dog guy, by the way. This can be a work metric or it can be some metric that you use in your life or other stuff.

What's your favorite metric?

Aaron Heath: I'm gonna have to tell you to pause on that. I gotta think about this one for [00:24:00] a second.

Drex DeFord: Let go to Brian. What's your favorite metric?

Brian Zegers: I guess maybe it's not a metric, but more of like a rule I go by of just as long as the decision I make, I'm comfortable with, I can sleep at night.

because people always say, how do you sleep at night? And it's like, hey, as long as I know I'm making the right decision, I can live with the outcome, right? Because I know I made the right decision based on the factors and helped me. Be comfortable and know even if an event happens to the organization, I did what I could do, everything I could do to try and protect and prevent those type of things.

But we know we can't ever do a hundred percent right. So we always kind of have that area of unknown that we're dealing with.

Drex DeFord: Yeah. You and I have talked about this, like it's not necessarily that you made the right decision as much as you did your best to make the right decision. Yeah. Given all the information that you had, you know you did the best that you could.

I think that's a great way to just kind of generally go through life. A lot of people agonize over perfect. And as we say, perfect's the enemy of good. Aaron, did you come up with something? Yeah so

Aaron Heath: we've got sort of some metrics that we, [00:25:00] this is maybe a general statement, but we've got some metrics that we track, right?

Like number of end of life systems we have that broken out and, patching on critical. And you work really hard with some teams. To change a process or you deploy some new technology and you can just wake up the next morning and you just see the, some of that stuff drop off or improve.

And I, it is like the greatest, like hands in the air like feeling, just to be able to see that kind of like, quantitative impact that you can share with all your teams and stuff. We, I've got a whole bunch of examples of that recently where we've just, we did some small things we just been, hadn't been focused on for a while.

We prioritize 'em and it's just like, watch the metrics or watch the data fall off, that is just such a good feeling to celebrate with those teams.

Drex DeFord: That's good. I love that. Okay, last one. Speaking of hands in the air, you're going to a big conference.

There's gonna be a thousand people there. You're presenting, you're really excited about it. They ask you for your walkup song. Brian, what's your walkup [00:26:00] song?

Brian Zegers: Oh, you already know it's Ice. Ice baby, right? Like, we love it Ev and everybody in my whole company knows that's my song that I, somebody, anybody could answer that question for me.

Drex DeFord: I love it. Aaron, what's your walk up song? Gosh, there's a couple Led Zeppelin song. I'll take a whole bunch of led Zeplin songs. Okay. We'll just

put a mix

Aaron Heath: together for you. Yeah.

Drex DeFord: All right. Awesome guys. Thank you for being on. That was super fun. I hope that we can do it again and I'm looking forward to seeing you the next time we get together.

Yeah,

Brian Zegers: It's been a real pleasure. Yeah. Thanks Drex. Appreciate it.

Drex DeFord: That's it for unh. Hack the podcast. I hope you guys are having fun. Stay safe. It's cybersecurity. Stay a little paranoid and I'll see you around campus

That's a wrap for this episode of Unhack the Podcast. Do me a favor and share this episode with your peers. And by the way, your feedback matters, so please subscribe and rate and leave a review wherever you listen to podcasts. I'm your host, Drex DeFord. Thanks for [00:27:00] spending some time with me today. And that's it for Unhack the Podcast. As always, stay a little paranoid. I'll see you around campus.