This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

UnHack the Podcast: CISO Changes and Building the Cyber Foundation with Dennis Leber

[00:00:00]

Introduction

Hi, I'm Drex DeFord, a recovering CIO from several large health systems and a longtime cyber advisor and strategist for some of the world's most innovative security companies. And now I'm president of This Week Health's 229 Cyber and Risk Community. And this is Unhack the Podcast, a mostly plain English, mostly non technical show about cybersecurity, and RISC, and the people in process and technology making healthcare more secure.

And now this episode of Unhack the Podcast.

Drex DeFord: Hey everyone, I'm Drex and this is UnHack the podcast. We kind of go all over the place and talk to lots of different folks.

And today I have Dennis Leber here. Dennis has been a man, like a long time compadre in the cybersecurity business. We've known each other since your days back at UConn, maybe

Dennis Leber: That's correct.

Drex DeFord: Yeah. So, how's everything going? Welcome to the show.

Dennis Leber: thanks for inviting me Drex, It was really [00:01:00] good to sit down and chat with you again.

Things are going pretty well. It's staying busy, trying to have a positive influence in the cybersecurity community and industry and businesses right now. Focused a little bit of work on my consulting while I look for my next permanent gig. But helping organizations address their cybersecurity needs some tools and solutions within and if possible a lot of V-CISO work right now helping some healthcare organizations that do currently doing some V-CISO work.

Drex DeFord: It's interesting you like me, have a military background.

Dennis Leber: That's correct. I have 17 years total service. So in 1980 8th of December 26, my Christmas present was to go to United States Marine Corps Bootcamp. That. I did six years in the Marine Corps. I did four years active first Gulf War Combat Vet.

Then I stayed in the Army the Marine Corps Reserve for two years after I came back home. There's not, wasn't a lot of the Marine Corps units, it was quite a drive to get to the one unit [00:02:00] that was located in Kentucky. So I had a buddy that convinced me to try the Army Reserve and he wore me down for months.

He just kept bugging me and bugging me. So I said, I'll try it. If you shut up, leave me alone. I'll try it. Well, the Army then reserves had to try a year program. So I signed up for a year and I stayed 11. And I actually got called back to active duty with the Army during the second Gulf War. Did four years at active with them.

So yeah, 17 years in the military altogether, I. And I, now, I'm a hundred percent disabled vet, so Oh. Like a lot of soldiers, they just, wear your body down. And that's what I do now.

Drex DeFord: I get it. I'm I'm a little banged up myself. 20 year Air Force retired right. Retired Air Force officer.

Also at the, in the first Gulf War. That's interesting. So we've probably chewed some of the same dirt. There was a lot of waiting around. There was definitely a lot of waiting around for something to there was, and then it all happened in a really short period of time.

Dennis Leber: Yeah, I think the total like real action was like three dates and then, yeah. It was sporadic. [00:03:00]

Drex DeFord: It was, let me ask you beyond that, a little bit about your background. Did you wake up one day and say I think I wanna be a CISO?

Dennis Leber: I did. So further back from my career when I got out of the military I was a police officer.

So I went back home to Louisville, Kentucky and I joined the police department and spent almost 17 years there. I made a decision to leave the police department and started working actually at UPS and went to school and between UPS and school in the Army Reserve, I started getting into technology and started getting into degrees.

I had always liked technologies. I was probably one of the first police officers in Louisville to have the computer in my car. But through the military and through school, I started really focusing all my efforts in learning into technology. That's the future,

that's where it needs to be. When the Army Reserve called me back to active duty, I was well within starting my master's degree in [00:04:00] it. And keep in mind, I was enlisted. So most people in the military will know this, some don't. You have shops in your military units. There are S ones, S twos, S six, and usually they're run by an officer.

When I got to the unit, I was an E seven.

And they said, oh, you're getting a master's degree in IT. Well you're the S6. So the military paid for all my education, that's all my certifications. And then I gained that experience 'cause I got to work in IT. In concert with the other mission of our unit, which was training soldiers to go to combat. I actually left the military a few months early of my four years because I got a job offer in IT.

And that whole time was, I'm studying and focused on cybersecurity. I was like, I wanna be a CISO someday.

Drex DeFord: I've asked a lot of folks that question. You may be the first person that's ever said, yeah, I did wake up one day and said I wanted to be a CISO.

For most people, it's just been like a series of random luck things and then they wound up in the chief information security officer job. So that's a good spin. You [00:05:00] write a lot too, and one of the things that you just published recently was a trust but verify talking about CISOs and how boards and other execs should be looking at and evaluating CISOs and tell me a little bit about that and what you were thinking as you wrote that.

Dennis Leber: Through my journey as a CISO, and this isn't meant to be despairing to anyone because everyone has a different path, as you've mentioned to that title. But I've met CISOs and even CIOs. So you could make that a very general statement of that article. But I focus on CISOs 'cause that's my world, and

having conversations with 'em or going to events, and you listen to some of the things you're saying, you're like, man, that's the way we did it 20 years ago.

Right. Or, Hey, are you ready for quantum computing and AI? Because I see these things. I'm like, I went and got certified in NASA security.

I've been studying large language models. I probably could be a AI officer if I really put my mind to it. But see counterparts and peers are folks that wanna be [00:06:00] CISOs, but they're not going out and getting those skills, or they're not making good decisions, and others are just playing out they're cornhole into position because they don't report.

At a level to the organization that they truly do have the impact and the authority.

Drex DeFord: So there's really kind of two things. One is maybe they're just stuck in a position. They're only given so much authority and they can't really work their way out of that. Right. And the other one is, and this is the one I see, quite a bit too.

And it kind of is across the board. Not just all technology people, other folks across healthcare organizations too. change is really hard and they get stuck in the thing that is working for them today. And so that's what good looks like and they never try to break that thing to try something, new or better that's come along.

Dennis Leber: Yeah, spot on. And there's a lot of parameters to that and what drove me to have these thoughts. And then the other part that is a mix in that formula is I've long advocated, if you go back on LinkedIn and on my writing for years, I've always like, [00:07:00] we should report to the CEO on the board.

I went and got the QTE certification that says, Hey this executive, this technology executive is ready to serve on boards, but we're not doing it. right And the courts have been shown recently in the real recent, past is the boards are responsible, the CEOs are responsible, right? The C-suite executives like the CISO.

Contribute to it, but the overall governance of an organization it's like Jocko Wilson's the extreme ownership. Well, you're the CEO or you're the board. Okay, that guy screwed up, or that gal screwed up, but you're extreme ownership. And so that's a part of it too, but I also look at it and go, what did I have to learn?

As a cybersecurity executive to have conversations with CEOs and boards. So that's another problem that we need to solve and we're trying to solve is I'm not a board member or my CISO is not interacting with the board because, well, no one's taught us how to do

And

have you gone and asked.

Drex DeFord: So I do another show called The Two Minute Drill. It's [00:08:00] just a quick sort of update on things that are happening in security. And I do a newsletter attached to that called The Two Minute Drill Extra, and in Extra, actually posted something from George Kurtz.

The CEO of CrowdStrike. And he actually spent some time at RSA talking about. CISOs being on boards and why it's important CISOs are on boards and kind of how it happened eventually that a CFO was on every board, yeah. Not from that company, but an outside CFO was on every board and he sees this day coming where every board will have an outside of that company, CISO actually sitting on the board because security has become

so integral to everything that we do. And he talks about the, like, here's some of the things that you need to go through, but a lot of it is just like, you don't have experience. And how do you get that experience to be on a board or selected for a board. How have you gone about it?

Dennis Leber: Through grit and determination. You take the

old j ob searching skill that they used to teach and it says, go look at the job description and then look at those qualifications and then get your [00:09:00] resume out and go, do I have these? Right? So going and finding other board members, and I've served on some boards, not top big company boards, but even advisory boards or boards at universities.

Sure. Going, okay, well what did I have to do at that board? What did I do to be invited to that board? How do I get better once I'm on that board? I've gone to some of the CFOs at companies I work for that are on boards and go, how does a person like me get there? Right? And before that, even as a CISO, I've had multiple roles.

Even like at UConn, I report it to the board, like, if you remember Mark Boxer, I still talk to him occasionally, but I went to them and said, what is it that is missing? What is it that I need to bring? I can tell you about these metrics, but are they valuable? Because that's where I started really changing my thought to what are the goals of the university, or what are the goals of this company?

And you wanna increase or decrease something by a certain percentage. It has nothing to do with technology or cybersecurity. I then have to go back and go Here is how implementing Control [00:10:00] X or Tool Y impacts that objective that the business stated. I can talk about vulnerabilities and risks afterwards.

The main thing is if we do this, we will positively, if we don't do this, it will negatively, or if we leave it the way it is, this may occur and we won't make a million dollars next year.

Drex DeFord: Yeah,

Dennis Leber: so, so

Drex DeFord: a lot of it is tied to risk and that risk conversation and how you relate cybersecurity issues to board members who may not be cybersecurity professionals.

How do you do?

that

Dennis Leber: it's education, fortunately with all my adjunct teaching and I've always had some kind of instructor role from, even when I was 18 in the Marine Corps, I helped teach firearms. I owned a martial arts school and I still do professorships at several colleges and attained my own PhD.

Teaching. Teaching is the thing. Teaching, yeah. It's communication and teaching, and it's not making assumptions. Everyone learns differently. So you [00:11:00] gotta go, well, is do you have to show you right? Or do need give you something to read? And how do you define how you learn?

And you gotta ask those questions. What's what's the best way for me to teach you how to do this? And then teach 'em how to do it. The other thing that I'm working with I'm working with another university and I hope to have something soon, is borrowing from our military experiences. And one of the things was

looking at basic life savings, and I wrote an article on this too, you may have seen it. Uh huh is every soldier that goes on the combat field is now taught basic life saving skills, and it has enhanced the survivability of combat wounds on the battlefield exponentially. And I forget the number, but it was night and day there.

No,

Drex DeFord: absolutely. I, I spent my career as a medical person and as a, I have a Army expert field medical badge. I'm one of the few Air Force guys who wear that. And yeah that fundamental skills really saved lives every day.

Dennis Leber: Yeah. And so how do we apply that to our everyday workers in our organization?

Yeah. From top to bottom, right? So you [00:12:00] get a phishing attack. How many cybers pros listening to this podcast right now? We'll go, I get 30 emails a day going, is this email good? Is this email good? And we have all these. Tools and procedures that says, here's how you report phishing emails.

Here's all the things we do, and you do your annual training. You get this instilled and instilled. So yeah, I'm using that as a small example. It's like, oh, how do you have that training where, and your staff goes, I know what to do here and does it. Right. And now you've decreased the risk of your company getting hacked.

How many companies we look at time and time, we see all these hacks, and especially in healthcare, but when you start looking at, it's like, well, someone just gave up their credentials. Right,

right.

Right. It's these simple things or you didn't have it. There's a lot of complexity to cybersecurity, as we all know, but really basic hygiene, basic cybersecurity is always the winner and.

Somehow or another we still failing i've been in this industry for 20 years and we still fall victim to the same things over and over.

Drex DeFord: Yeah. So that's part of it. It [00:13:00] is the fundamentals, right? It is the fundamentals that if we did the fundamentals well, we'd probably be able to stop 80% of attacks.

That's right.

Drex DeFord: I'm gonna pick on you with a couple of other things are you ready for the lightning round? We're all super busy. So I'm, now I'm just kind of wondering, this is about you personally.

When you get unfocused or you feel overwhelmed, what do you do? Or what question do you ask yourself to kind of get back on track?

Dennis Leber: I learned a long time ago how to manage time. So I think I've managed that well. But when it's time to disconnect golf.

My dog,

my motorcycle's probably number one. And a good cigar.

Drex DeFord: Nice. What kind of motorcycle do you have?

Dennis Leber: I have a 2021 Indian Challenger.

Drex DeFord: Oh, nice. Love Indians.

Yeah, rode a chieftain for a while, so

Dennis Leber: that's a great bike. Yeah.

Drex DeFord: here's another one. Probably a lot of young people who'd like to get into the cybersecurity business or people who talk to you about getting into the cybersecurity business.

What [00:14:00] advice should they ignore?

Dennis Leber: All of it. All of it because there, I see a lot of that stuff online and you pay for a course here and there, and none of it to me gets anyone anywhere because the biggest problem I have. As a CISO when I'm hiring people is they don't come in with the basic skills similar to what we're trying to teach staff that work not in cybersecurity.

And I like to tell this story 'cause I think it summarizes my approach to it. I don't think it's wrong to go get degrees, but it shouldn't be the only thing you do.

I also think you should get certifications because HR's look for that and there is a basic knowledge and fundamental of what's going on to get certifications. You can't just go in there and just not have any clue of what that's going on. It does require at least study, but it doesn't mean you're a good cybersecurity practitioner.

The other part is every opportunity you get, do it on your own. Right? There are free YouTube videos. There [00:15:00] are a lot of folks like your podcast, listen to that. Go to network and events if your company will pay for you to go to a conference, go and you're not in cybersecurity, or if you have the money and you some our free local concert or our networking group, go to those and talk to people.

But back to the story, when I worked in Kentucky, I had a pen testing team. Had guys that were really scary good pen testing. They're not influencers and I think they're better than any influencer that's pen testing online I've ever seen. But we were hiring for a new role. And we had a guy come in and the director at the time that was running that pen test team, he set up a pen test.

He set up two computers, cable connected. He ran something on one side, they had to respond on the other and he really tested 'em like, can you hack? And the guy that we hired not only did very well in that because we didn't tell him that it was occurring, so it was under pressure.

He came in with a mountain of paperwork.

And on his own time and during his college classes, he went to [00:16:00] every capture the flag of any could went solo, went in teams, and where he stood out, he documented everything he did in those capture the flags. So he had investigated what a pen test report looks like they should come back to an executive like myself so I can action it.

And he rolled them and he had a stack of them. We hired him before he left the room.

Drex DeFord: He was a really good pen tester, but he'd really put a lot of time and effort into the practical, pragmatic experience that he would need to do the job well,

Dennis Leber: right over and

Drex DeFord: above.

Dennis Leber: Yeah. Yeah. But a homeland, because you're never really gonna learn cybersecurity until you do it.

And the other part, I like to tell folks that looking in the industry is cybersecurity has many tentacles. There's so many parts of cybersecurity that people don't even realize fall under the umbrella of cybersecurity. I forget the gentleman's name, he does the mind map every year. Right. Look at mind map. And go, let me learn a little bit about each one of these and then go, oh, I really like this one. And then focus [00:17:00] your studies there because you'll be all over the map and you won't get anywhere. And I'll give you another example of that.

I was fortunate to do this at Kentucky. Kentucky was very supportive and had a nice budget, of course, too, to do this. But we created a general cybersecurity analyst position in Kentucky. And I jokingly say the only requirement is the candidate needs to know how to spell cybersecurity. And the running joke is, does it have a hyphen?

Is it split or is it one word? we would rotate them through every division that we had in the cybersecurity office. So they went to the pen test team, they went to the GRC team, they went to the, our team, they went to the audit compliance team. They did all these, right? And of course, everyone we hired like that wanted to be a hacker.

None of them became hackers.

And the one person we hired, they really fell in love with GRC, never even knew it was a part of that branch of cybersecurity. I know that today that person's still the director of the GRC team. So they got promoted up through that team.

Drex DeFord: It is really interesting.

I think when you go through a rotation like that, the other things that you [00:18:00] figure out too are like privacy and other things that are, adjacent to the cybersecurity team. But you spend a little time sorting that out and figuring out like, that's something I'm really interested in, or, I don't really want to do that's good too.

You just have an idea about how they're all connected together.

Dennis Leber: Absolutely. And I think as a CISO going back to that, you have to have that understanding and knowledge of all those areas that you interact with.

Drex DeFord: Yeah, for sure. Okay. Final question. How do you spell cybersecurity?

Dennis Leber: Yeah, I haven't figured that one out yet.

I probably put it as one word. So.

Drex DeFord: Thanks. I appreciate it. Dennis Leber cybersecurity executive extraordinaire, really appreciate you being on the show today. If there's anything we can ever do give us a shout. Thanks for being on.

Dennis Leber: Yeah. Appreciate you.

Drex DeFord: That's a wrap for this episode of Unhack the Podcast. Do me a favor and share this episode with your peers. And by the way, your feedback matters, so please subscribe and rate and leave a review wherever you listen [00:19:00] to podcasts. I'm your host, Drex DeFord. Thanks for spending some time with me today. And that's it for Unhack the Podcast. As always, stay a little paranoid. I'll see you around campus.