This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

[00:00:00] This episode is sponsored by ARMIS. Are your medical devices truly secure? ARMIS allows you to see, protect, and manage every device and asset in your environment, from the most common to the most complex across your health system, medical, IoT, or operational. Reduce risk, ensure compliance, and safeguard patient care with a trusted partner in cybersecurity.

Don't leave your devices and your patients exposed. Visit thisweekhealth. com ARMIS today to learn more.

Drex DeFord: (Interview 1) Hey everyone. I'm Drex and I'm really lucky to have Mick here with me today. Mick Coady from Armis. Hey Mick. How you doing? Welcome to the show.

Mick Coady: Good afternoon, sir. My time. How are you? I'm well.

Drex DeFord: Good. Last time I saw you, you were a little banged up, but you look pretty good today.

Everything's okay?

Mick Coady: Yes. Unfortunately, those of us who spend a lot of time in the sun have to kind of pay our piper and I hadn't gone to the dermatologist in three years and I reaped that woo once, so there we go. [00:01:00] Yeah. But no, everything's healing up fine on the face and different parts of the body.

Unfortunately, the one on the face was a little bit more, if not a lot more serious, and that kind of took a little bit longer to heal but thank you. Proud me back on. Yep. I'm a little more presentable these days, so That's fine.

Drex DeFord: Well, it's good to see you. I wanted to just kind of start by, tell me a little bit about yourself.

Tell me a little bit about Armis and we will just kind of carry it on from there. You and I have a lot of great conversations about this stuff in the

Mick Coady: past. Yeah. I've been with Armis just two years. I actually, was brought on to kind of operate in kind of a chief technology office kind of a thing in the field.

Initially was working at a lot of different verticals throughout the us in different specializations that I know with healthcare, aviation, oil and gas. There's a lot of different spaces where I've played over my career. I had a great career for 10 years at PW C. Retired, took the walk and that was my third big four.

So for those of you who listening, please don't hold that against me. But that's just the way it was. That's the way my career got formed. It was kind of saying in the command of what I was very much in a controlled, structured environment to learn the way I did since the early nineties. [00:02:00] But since I've been here, yeah, it's been very good.

It's an interesting journey, the platform. Even when we were developing our OT lab back in the day at PWC and I did some work also with WWT, Armis has grown tremendously over the past seven, eight years. So when the leadership team asked me to come over here and join it was on a journey of where they were going and they've added pieces and parts of the platform.

So it's been very exciting. But now today I'm highly dedicated to healthcare covering off the pharma payer provider kind of a market space. Very heavily focused on provider at the moment from the larger healthcare delivery organization. Got launched in January 1st this year. You've met Christine obviously a couple of times now.

And she's a great add-on to what we're doing, in what we're kind of developing out the healthcare culture here.

Drex DeFord: Christine just came to the CSO summit that we did in in Napa, and had some great conversations with her. She kind of heard the stories in the room too.

This is just an evolving space it seems like. I mean, I can tell you like, back when I was a second lieutenant in the Air Force and running a small hospital the sort of [00:03:00] IoT, medical equipment, OT stuff has just it's been a challenge. It feels like forever and you guys are kind of finally getting a hand around it.

Mick Coady: Yeah. And I think, look, I've served in on top roles that you know about over that tenure per period two at different places and got put behind kind of in, in a different position and working with different CIOs and in different organizations and I would say, everything we did was manual

right? And I'd even say even just in the IT space, we'd have to have, depending on what organization it was. You'd have to have a CDW or whoever you were taking your assets, your IT assets from the image build, whoever that could be had have to be in the room.

Procurement would've to be in the room, accounts payable or receivable and or both would be in the room. So we were mirroring up, invoicing, mirroring up this, having the vendor of choice on the thing, and how many were shipped this year, how many do we have? Where are they? Right? That was manually done.

And then we would either hire a boutique company. Who would come in and do a physical audit or a big four depending on who it was to get that done. And it was painful. Very. I remember

Drex DeFord: those little asset [00:04:00] tags that used to be those little

Mick Coady: Yeah. You used to get them tagged in, but then you'd have the scanner and everything, but that's a point in time click.

Sure. Absolutely. It was never, there was no continuity to that. We've been talking about this for 30 years, which is, patching at the OS application and asset level in general has been a very difficult thing to do. Hopefully we're trying to work towards simplifying that today.

But it's funny, for as long as you and I have been in the industry, we've been talking about this and we're only getting to the place of finding it, fingerprinting it, and then prioritizing what needs to get done quickly.

Drex DeFord: We are finally at that point where we say this all the time, if you don't know what you have, you can't protect it.

Right? That's a huge part of it. And that's not just a once a year inventory as you alluded to, like, right. I need to know right now what's really on the network, right? And where's it at? How's it being used, and what problems does it have that really demand my attention? How do you guys work that prioritization process for me?

Mick Coady: Yeah I think an awful lot of can be done in different ways. So obviously [00:05:00] the CVSS scores right from CC Cab is a good way to kind of look at it from that. But, we added a module ourselves, what they're talking about ourselves. Other people are kind of doing the same thing. At any given day, anyone's or behind whenever we're doing your adding to your platform.

But we added something kind of unique that kind of gives what we call early warning that allows you to think about what's in the dark web and what's being exploited right now. Even ahead or ahead of maybe what c Kev is writing at this particular juncture. 'cause it could have been what they have found, they could have found eight, nine months ago.

Now they're writing it, now they're putting it out and that's fine. That's, you have to do it that way. You should marry it all up. It's apertures of risk but we want to kind of give you, we have just in time right now, like isi.exe could have been level three, nine months ago. Today it's a level eight.

Well. Can I right click and go? How many assets is that? Well, 24. Great. Well, maybe that was eight months ago. Maybe there's 2,824 now and they're at a level eight. Well, maybe I might want a DMZ or I may have to V land that off Right now, I don't know what I'm gonna [00:06:00] do to protect that. I don't have enough bandwidth to ACL that or figure out what that looks like or what I have to do to address that.

But yeah, I mean, as much as the culture is just, give me, instant gratification. I don't think there's any CISO there, or even CIOs who don't want instant gratification on, please help me stop this from happening, but. Even when, updates happen to Windows or even, our great partner, what happened to CrowdStrike any of these things can happen.

I should be able to go right click. How many assets is that impacting, right? And that's, it's much more the expectation. I mean, if we were to do that manually in 2012, that would've been brutal. That could have taken a week. Right.

Drex DeFord: I mean, it's the resilience, it really extends the downtime, right?

If you have to do the thing manually, you can't go look right away. Right? A big zero day comes out. There's not a patch. You still have to figure out how to protect yourself,

Mick Coady: right? And the thing is, how do we get, from the orchestration of what we do on that, one of the things you alluded to, that we added also was allowing us to orchestrate that fast, right?

How do I automate that? Even some of it. How do [00:07:00] we get the fingers completely out of the pie, right? So if we know that's happened. and I can right click can open close tickets and I can sweep and scan and go like, I know there's only, maybe there were 2,800 assets that might be impacted, but today, this morning, you know what?

There's only 14. Let me go fix the 14 that are critical. The rest of the red noise We'll wait on, but it's that level of prioritization. I think it was a great CIO that I used to work for a long time ago, both in a consultative format and kind of directly reporting to him in on top.

And Chris always said, the reason I like talking to you is 'cause you're practical. And I think the practicality of having a limited set of resources in a hospital and having to make them efficient and effective at their jobs is very difficult to do. Because that's the way they run in hospital environments and it's tough.

So how do we improve their lives? And by the way, I mean, not in a kind of a fuzzy, warm way, but yeah, it matters. How do you feel like you did something productive at the end of the day? And you've had people reporting to you, right? I mean, you see red all day long and it's [00:08:00] alert fatigue, right?

And you come in day after day and I mean, you don't feel like you're making any headway at all. I mean, that tends to wear on you.

Drex DeFord: Not all risk is the same as you alluded to. Right. While they all look like the same, line by line here's something that needs to be patched.

Here's something that needs to be patched. Here's a risk. You do the math. Oh, it's 1400 things, but in the grand scheme of things, it's really just these 25 that are really important. And how and why does that prioritization happen? How do you guys do that?

Mick Coady: I like to provide more business context, right?

You and I have had to deal with Chief Medical Information Officers. Oh, and I say that with great respect to our brethren who'd be watching. But at the end of the day, CMIO's are demanding. Most of them are former physicians, and I get reminded every once in a while.

I used to report into different boards when I was presenting materials while I was working in a consultative manner. And they always reminded me, look, the cyber op stuff's cool Mick but I run a hospital. Okay. I need you to tell me from an operational perspective yeah. I mean, if I [00:09:00] was to tell you tomorrow morning, if I was to go down to the hospital down the street here in Houston and they were to tell me that their surgery center was going to be impacted by this, that's gonna be much more priority than a sub clinic that's sitting at a suburb, right.

You may well do without the patient inflow, outflow, what you're doing in a clinic. But a surgery center, yeah. That's a different business operational category of risk that would sit further up the food chain that the board would care about. Not necessarily us in the CISO role, but it's good to get guidance.

Now, CISOs who in hospitals are much more attuned to that, I think, than most others. But us as a platform, we allow you to modify and categorize business risk in conjunction with the technical risk. So I'm not making a determination. The hospital's making that determination. And, where I live here in Houston, there's every type of hospital research hospitals, caregiving, all of the different variations of acute care, long-term health, everything that sits in this city as a large city, the question is how do they want to prioritize that suits their mission? [00:10:00] That's how you should be aligning your goals. Right? Not every one of them run the same. So I think what we've done, allowing that level of flexibility to have the prioritization de be determined by.

Board level down towards operational people. I think that makes a difference.

Drex DeFord: Just thinking about something that I read recently talking about how security teams create business value too. Creating that situation where, you know what you have, you know what you should be patching, you're reducing risk.

That really is about. Sort of jokingly saw it written as something like the Chief Revenue Preservation Officer too, right? That is a lot of the ways that you have to think about risk and how you deal with risk because one Day Down can cost millions of dollars and impact patients' lives and family's lives, obviously.

Yeah. So it's a huge deal.

Mick Coady: There are some people, I think from my days at ca when I did this through the identity lifecycle and I've kind of mirrored some of the talking points of asset lifecycle that kind of follow the same kind of [00:11:00] theories, which is. You onboard, you've add, mover, join or lever kind of a thing, or as you go onto the network, same thing happens with an asset, right?

So the question is what does the asset look like through that lifecycle and where has it been? What kind of things have impacted it? Just no different than a human with the, you add or detract from all of the access rights that you have. Same thing happens with the asset. So the question is how do you manage that lifecycle more effectively?

Right? Which is absolutely a bottom line impact, right? And in certain cases you may have too many assets and and I'm not talking about it, I'm talking about med device. You also know that in certain hospital systems they lease, they rent, they own, and they could be doing all three. How do you manage all of that?

In one bucket And we help. In most cases today we've gotten down to the point where we've got great detail around utilization of the asset. Also, depending on the style of asset, I can tell you the drug libraries, all of that stuff starts to matter and it goes back away from people into the financial office, which is procurement and finance, right?

Where am I [00:12:00] spending my money? How should I be spending my money more effectively? Can you give me that data? It's a byproduct of what we happen to be doing. That was not put in for that use case at all. But we're now doing it. And I always said from those days in identity and this was when we used to kick the can down the road all the time.

Right On identity. Identity man it's not an issue. We're gonna do it manually. Right. Until you don't. And I kind of came up with different modeling and I kind of coined a phrase kind of differently, which you've heard me say, which is RON. Everyone talks about ROI or realization of benefit, or RON is a return on negligence.

It's the actual cost of doing nothing. If you choose not to do something like this, there is negligence associated with it and an impact has been associated with green dollar effect, not blue dollar, but actual green dollars. And when you calculate those things, and I put Excel spreadsheets around it, here's your validation points on what happens when you miss a few steps in the workflow or you shorten the workflow for automation. How did that happen and what did I do? What was the impact? Right. Which can be absolutely validated financially.

Drex DeFord: Yeah. It all comes down to the bottom line, especially these days. Hey, I really [00:13:00] appreciate you being on this was a good conversation.

I always love talking to you, and I hope our paths cross soon on the road somewhere.

Mick Coady: Absolutely. Appreciate it. Thanks, Drex.

Thanks for listening to this Interview in Action episode. If you found value in it, share it with a peer. It's a great chance to discuss the issues and in some cases start a mentoring relationship. One way you can support the show is to subscribe and leave us a rating. If you can do that'd be great.

Thanks for listening. That's all for now.