This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

UnHack (the Podcast): Your Vulnerability Scanner Is Lying to You with Jack Kufahl & Gregory Garneau

Drex DeFord: [00:00:00] Today on the UnHack channel with me Drex DeFord

Jack Kufahl: So how do you take extraordinary people and allow them to be extraordinary? What something has to give.

Drex DeFord: I'm Drex Deford, president of Cybersecurity and Risk at this Week, health in the 2 29 Project. Our mission is healthcare transformation powered by community. Welcome to UnHack, where we navigate healthcare security challenges together because cyber safety is patient safety.

Let's get started.

Hey everyone, I'm Drex. So this is UNH Hacked, the podcast. Welcome. I have a couple of great guests today that I have known for a while, gotten to know better even recently Jack from Michigan Medicine and, and Greg from HSHS.

How you doing guys? Good to see you here.

Jack Kufahl: Good. Happy to be here. Thank you. Hi, good morning.

Drex DeFord: I wanted to start off. Thinking about something, Jack, that you said in the summit, the CISO summit in the fall, and it's [00:01:00] kind of continued to sort of bang around my brain. I wanna make sure I've got it right.

But at the summit you sort of talked about your teams and building the team and. Security planning efforts in a way that had long-term viability. Something that if for some example, as an example, if for some reason you won the lottery and left that it wouldn't be the kind of thing where the whole program is kind of wrapped around you and wrapped around your personality.

Talk to me about that. Do I have that, do I remember that kind of right or,

Jack Kufahl: That's in the direction It was really. And I, I don't know what my first thought was becoming the CISO here. I wonder about that some days. But it was this idea that the Michigan medicine didn't really have a formal security program.

It was the first ciso. We were building it up Greenfield, which is a rare opportunity. And before you start buying all this stuff and hiring all the people, spare a few moments to think about what are you uniquely positioned for? That you can pass forward 'cause vendors [00:02:00] change and people come and go.

Mm-hmm. And bosses come and go and department names, change, all, all that kind of stuff. And what I really was struck by, as I was getting to know by then, very new ciso, friends and family, was the turnover. And I think that's still happening. Now, there's, there's all kinds of different data out there, but it's, it's a couple years, right?

Healthcare CISO is expected to last a couple years you know, before they die from stress or leave the, leave, whatever company they're working for, you know? So I was looking at that. That wasn't my plan. And, you know, I've been here for 10 years. But I still think about that because there were a number of people in my immediate CISO circle that were.

Sort of always talking about, you know, why they left and just career and sort of three beer conversations and, and those types of things. But there was this remorse that they had. It's like, Hey, we built a program and as soon as I left it fell apart. Or I built a really great program and I'm taking all my people with me to the new place.

And none of those really sat with me really well. I mean, I get it and I'm. I'm not [00:03:00] casting stones in glass houses, but I didn't think that was right for Michigan Medicine. Like the med school just celebrated its hundred and 75th anniversary. Wow. You know, so you, you think about institutions and are you contributing to the institution while doing your job?

So that's what was kind of based out of it. I didn't wanna. Build something just to have whoever came in next to say, well, that last guy didn't know what he was doing, not disputing that. Therefore we had to go back to square one, therefore we had to go back to square one and. That shaped the things I bought, how I bought them, when I bought them, who I hired, why I hired, and that really fed into like the talent pipeline idea.

Like, what do you wanna leave behind? You wanna leave this idea behind that? It's a place where you grow careers. It's a place where you can have good work life balance and those types of things. Not because it's a moral imperative, I think it is, but it's something that I was uniquely positioned to do.

Right. Any CISO can buy. You know, an E xr, any CISO can [00:04:00] swear about their vulnerability scanner and replace it with a slightly less bad vulnerability scanner. But you don't really get these chances to shape the wet clay, if you will, that often. And that's really where those ideas started. And it, it sticks with me and I, I don't know.

Right. And the first Michigan medicine ciso, I won't be the last. But that's the type of stuff it's kinda reminds me like of you drive by your old house Yeah. And you know, if it's gone to rack and ruin. It's no skin off your nose, but it still kind of feels bad. Yeah. Or if they're doing really nice things with it, it's like, oh, they took down that tree, or they fixed that.

You know, if it's still going, there's a little bit of shared pride that you did something more right

Drex DeFord: than that. I was part of that. Yeah. There's this thing too, you know. I've kind of always subscribed to this idea that like, wherever you go, and it doesn't matter what it is, it doesn't matter if it's the, you know, returning the cart in the parking lot or wiping down the bathroom.

Right. You know, sink after you've used it or whatever, leave it better than you found it. But that kind of takes it to another level, right? It's not just leave it better than you found it but also build systems that allow [00:05:00] it to continue to stay good.

Jack Kufahl: Give it a chance

Drex DeFord: in the long run. Yeah. And

Jack Kufahl: there's no promises, right?

In cybersecurity or healthcare it, but you know, you gotta give it a chance.

Drex DeFord: Hey, Greg. Same. I mean, same kind of question. How are you building teams? Where do you find folks? It's for cybersecurity.

Gregory Garneau: Yeah it's interesting you know, we Jack, obviously the first CSO Michigan Medicine, I was, I came into the program into the system at HSHS after an event, after a cyber event. Right, right. We were, they wanted specifically to build. A world-class cyber organization and thankfully, I've had some experience doing that at my previous health system.

So it was I think an opportunity to come in and really start at the basics, cybersecurity 1 0 1 and build a program. I had many friends and Jack and I talked about even before I got here, we talked about. This is an interesting, unique opportunity I was all about it because I knew that this was a great opportunity to [00:06:00] introduce to a health system that's been around for a very, very long time.

A program that they'd never had previously, right? Mm-hmm. And in support of the mission, we understood what happens when bad days occur, and we didn't want. To have that again, it's never, you know, we never can say it's never going to happen again. But we needed a fighting chance. So we had an opportunity. I was supported by leadership, supported by colleagues to build that program.

And when you look at, what do you do with staff, like the staffing, we didn't, we didn't have a program really to speak of. We had some really dedicated people on the team, but there was really no overall direction, right? There was, it's kind of a rudderless ship. We came in and we started from, you know, the basics and this week or next week, I'll celebrate my two year anniversary here.

And what we've accomplished in those two years is just nothing [00:07:00] short of extraordinary, but it's not done. You know, in isolation you have to work with your partners in the business. You have to work with it. But you also need the staff. You also need the staff who wants to support this mission.

Ultimately, what we're here to do is serve patients, right? Our job is to make sure that we support those who support patients in a safe environment, and that's what we're here to do on the cyber side. So I was able to find some folks who had worked with me in the past who wanted to come and join the mission.

Drex DeFord: Mm-hmm.

Gregory Garneau: I also was able to bring. Former interns of mine and we talked, Jack talked about the pipeline, right? Interns of mine who worked for me when they were in college, they'd moved off to do other things in cyber, you know, entry level positions and, and doing some of that other stuff. And I, I called 'em up.

I said, Hey, so what are you up to these days? Are you happy doing what you're doing? And I knew the character of these folks and how smart they were. And I said, Hey, this is the mission I'm on now. Do you wanna join this? [00:08:00] And we grew the team and we've grown. All of the teams that I have and it's and to the point, the sustainability quotient, right?

Mm-hmm. How can you ensure that if you go, you have the program in place, people, process, and technology to continue to support the business? And what we've spent a lot of time also on the technology side is finding solutions that extend our capabilities without actually having to hire new FTE.

And that's a huge component, right, of this whole battle we have on finding people.

Jack Kufahl: You know, you're talking about the finding people and the talent shortfall and. Thinking back, 'cause I just finished up my 10th year for being CISO here and we, the, it was it IISC Square just put out their workforce study and Drex you shared that and I read through it the other day [00:09:00] and it's good data and I trust the data.

But you know, it's the same vibe for the past decade. So, so what are we doing? And you know, part of, and I'm not saying I'm immune to those pressures, being part of the University of Michigan, we probably have a different opportunity for talent retention. 'cause it's such a stable institution, right?

So, I mean. You know, nothing's like recession proof and nothing's, anything like that. But as far as industry goes, universities are pretty stable, right? Even beyond healthcare being pretty stable. So when I think about this talent pipeline issue, you think about not just that how do you grow, how do you bring in, but how do you change your department and what capabilities you're looking for to match that.

And one of the things that I. I'm not overly concerned about it, but it's an interesting sort of anachronism. We think about standards and we think about this is a vulnerability analyst and this is a third [00:10:00] party and this is an ops person, and this is a threat intel person, and this is a man, you know, and there's these cookie cutters and there's this, there's a, there's a.

Ethos out there that the more you do things standard, the more sustainable you're gonna be. And I get that right. The whole repeatability.

Gregory Garneau: Mm-hmm.

Jack Kufahl: I think that might be what's wrong, or at least partially wrong with cybersecurity talent. Because cybersecurity talent has a lot of extraordinary people available from both a behavior and a skillset point of view.

And if you try to take extraordinary people and then put them into ordinary containers, put 'em in

Drex DeFord: a lane and say, stay in your lane. There's so

Jack Kufahl: much

Drex DeFord: overlap and inner

Jack Kufahl: connection

Drex DeFord: between the jobs.

Jack Kufahl: So how do you take extraordinary people and allow them to be extraordinary? What something has to give.

And that means things like, well, org charts maybe org charts have to change. Maybe that what they called that team, what the team did, isn't exactly where the talent is. And the more you can [00:11:00] accommodate or in a reasonable way, be flexible around what you think good cybersecurity or information assurance is.

I think extraordinary people, an extraordinary person only makes your program better. Maybe not in the way you predicted, or maybe not in the way that the spreadsheet said it would. And if you can do that, you're creating an environment where you'll get sustainability and longevity. But I think nothing breaks that more than take an extraordinary person.

Who either overtly or covertly understand they're extraordinary and say, but you're not doing the ordinary stuff well enough. If anything, the ordinary stuff that an extraordinary person may not be, be stellar at great spaces for managed service providers and outsourcing or near sourcing, you know, type ideas, right?

Drex DeFord: Or AI and agents.

Jack Kufahl: There's hope, right? There's hope. There's hope with the ai. And if somebody can tell me what's real and what's not in ai, I'll, you know, like. I got a spot for you,

Drex DeFord: Jack. Where are you hiring your staff from? Greg talked about, you know, he [00:12:00] brought some folks from his previous place.

He hired some interns he'd worked with before. My question is really aimed at, are you hiring people internally from other departments in the health system sometimes. Or you and the university?

Jack Kufahl: , If there is something to be proud of in that space, I'm proud at how, how in, in, in concisely I can answer that question. Um, I've got folks on my staff who are joining who have had very strong and established multi-decade careers in hospital administration, and they wanted to get into cybersecurity as second career. Type thing and are working the pipeline there. I've got people coming in from junior positions out in it, you know, service desk, desktop support system administration, and like the stability that not just like the university provides, but also cybersecurity.

As a, as a interesting and engaging long-term investment. But then I've also got people that are coming from teaching backgrounds or what the, the gambling industry, right? The games and gambling industry. So there's, there's this really, [00:13:00] you know, Whitman's sampler sort of, sort of approach.

And that creates problems, right? Because you got. All sorts of different people with different ideas and different, you know, diversity of, you know, cognitive diversity and demographic diversity coming together and trying to figure out how to, you know, stop Vladimir. And you know, that's a special skillset, but I like watching that sausage being made.

So it may not be the most short term efficient model, but over the course of time. And back to that, what do you leave behind? I hope that sticks around, right? That idea that there isn't. Single place you recruit from, or a single pipeline. It's all those things. And the more flexible you are, when you really start looking at it through that lens, everybody's extraordinary at something.

Gregory Garneau: Mm-hmm.

Jack Kufahl: Right. And as an employer and as a team lead, and as a commander of leaders, you get this idea about, you know, it's my job to make the environment suit that extraordinary capability so that the institution benefits from it. And sometimes it works and sometimes it [00:14:00] doesn't. But it tends to work more than not.

But it's not anything. I think you could, package up and market like to A-C-H-R-O and say, this is the way you do talent recruitment. I think it might be something somewhat special to cybersecurity. And if you allow it and if you're patient I think we're really seeing payoffs in that space.

Gregory Garneau: I think one of the things that I've been seeing for a number of years the notion of, you know, you've gotta think outside the box to find talent, and well, that's true, but there's no box anymore. You just have to look right. All sorts of interesting, unique places. Attitude, acumen, and curiosity, if you have curiosity,

Jack Kufahl: is super important.

How people are curious is

Gregory Garneau: just exactly extraordinary behavior. This is a fantastic career for folks like that, right? You find really smart people who are incredibly curious, wanna learn, you know, it's perfect, right? And you find people. In places you, you normally wouldn't. And, and, and of course to Jack's point, you find them, within the IT space, folks who wanna start, come [00:15:00] over, learn about the systems, but it's.

Finding some of those people who are kind of outliers, who you, you know, they have those three qualities and you bring them in and they turn into just absolute rock stars with the right mentorship and coaching from the other teams. It's other team members. It really is. Um. Fascinating to see people grow and become engaged. That whole notion of being putting a really smart person in an ordinary job where they're just mailing it in, checking the box every day, the disengagement. Over time just turns that person into way less of themselves. They're not willing to give back to the organization because they're not being challenged and engaged every day.

So, it's a interesting balance to try and meet operational needs, but also giving people the opportunity to stretch and to learn and we rotate a lot of the younger folks and even some of the. Senior [00:16:00] folks, mid to senior folks into other aspects of the cybersecurity org and other pillars, right, of the program from time to time and say, Hey, let's, let's get you into this, and.

I think you're gonna excel at that. And then, it works most of the time, but it doesn't work all the time. So then you, you know, make course corrections and get back to it. But yeah, those are the qualities that we really look for in any candidate who shows up.

Jack Kufahl: The curiosity one is essential.

And one of my favorite questions to ask new employees or prospective employees is, how do you like to learn? Because. Whatever cybersecurity is, it's not fixed, which means we're in a constant learning pattern. So the question doesn't have a right or wrong answer or preferred answer. It's does that person know how they learn best or

Drex DeFord: mm-hmm.

Jack Kufahl: Are they, you know, and you know, or are they trying to, answer the question the right way? So it's that, it's that [00:17:00] sort of behavioral answer and the ones I'm really interested in that have. A definitive answer about how they know they like to learn. And that gets back to that flexibility. It's like, I can work with that.

A lot of people work, you know, work really well with pairing or work well with coaching and mentoring or professional or, you know, are very visual or very booky and it's, it's like, hey, all those are all right answers. But are you cognizant of how you like to learn because that leads like a breadcrumb logical trail back to, are you curious?

Right. It's, it's in science, nobody screams Eureka. But people do say, huh, that's weird. And they go one layer deeper and that curiosity just keeps driving. And you know, I firm believe, everything with AI and everything with managed service providers and everything with collaborative, that's all important.

But cybersecurity and healthcare is because of the complexity of the workflows, complexity of the environment. It's a human job. So, and it's, almost in an unknowable place, right? Healthcare 'cause it's so complex and it's changing and it's so intricate and it's so storied. So if you're not curious.

You know, may as well get an AI agent to look for network [00:18:00] intrusions. Right. But it's that, huh. That's weird sort of reaction. And to dig one layer deeper and two layers deeper, that BET saves our bacon more than Eds.

Drex DeFord: I think it's interesting that curiosity piece.

So, you know, and not just curiosity, but the other, they're good problem solvers and they work well with other people and those kinds of generic. Great skills that anyone you would want to have on your team should have. You just teach 'em the cybersecurity stuff they need after that. They come in sort of preset with this stuff and then you teach 'em the cyber stuff.

Jack Kufahl: Yeah, I think cyber's pretty teachable. And over the past 10 years, I think there's a lot more help in that space. I think a lot of the vendors have stepped up. And the vendors that I'm really interested are not the ones that are just selling their wares, but want their stuff used well.

Drex DeFord: Mm-hmm.

Jack Kufahl: Right. And more and more vendors are willing to step up and say, thank you for buying it, but we actually want you to use it better. So what's a healthy vendor? What's a healthy utilization? And that's really where there's [00:19:00] some great differentiation in the vendor space.

Drex DeFord: in some ways, the vendors are actually teaching your teams how to be better.

Jack Kufahl: I hope so too. to me, what a strategic vendor is isn't the cost of the invoice. It's like, oh, if you give vendor a a million dollars, they must be strategic. Actually, some of our biggest bills or some of our least strategic vendors, becuase what I'm looking for out of a strategic vendor is engagement and some.

you know Stakeholdership and how well our team is doing and how well their products are working the way they want them to be successful.

And when you start looking at it like that, I can look at my OPEX general ledger and draw a line straight through the middle and say, oh, those are the vendors that are strategic.

They're in the trench with me, and they. This is their contribution versus the ones I'm just paying. Right. I got, I got nothing against the ones that I'm just paying. That's, but that's just buying stuff. And I tell you

Gregory Garneau: right

Jack Kufahl: when that, when the interesting vendor, you know, startup community is disrupting that and they've got something better.

I tell you what, I got no heartburn dropping, you know, and trying [00:20:00] somebody new in an untested way. If I'm just writing a check to just the big, one of the big three vendors. Right.

Drex DeFord: Greg, I know you've talked about this too, the difference between kind of partners and vendors or, partners and kind of commodity delivery vendors.

So how you think the same way you think in the same

Gregory Garneau: Absolutely. And today, as Jack talked about, we have so many disruptive startups in the cyber world. I call them disruptors because they're doing really amazing things. That you can look at and say, okay, so let's take a look at your tech.

What does it do for us? But what kind of partner are you gonna be? How are you gonna help me support my mission? Right? Because ultimately I'm bringing in your tech and your solution to solve our problems, which is securing a healthcare environment, right?

Jack Kufahl: Hmm.

Gregory Garneau: To Jack's point, I can tell you we have.

I've run through a number of vendors who we just wrote checks to and they were vendors and you know, it's. [00:21:00] The relationship is, Hey, how you doing? You know, do you want undercoating with that? You know, it really feels like you're buying, you know, buying one of those cars. But then you have folks who really want you to be better.

And to Jack's point, the vendors are starting, or they've been doing it for a while but the, the notion of having the resources for your team to get better at the platforms and encouraging. Them to take the, you know, the online universities or whatever they're calling them these days to help upskill your team.

Because to Jack's point earlier, this is constant evolution. You are having to learn. You're having to. Look at problems differently and ways to solve them differently. And the vendors, the really good partners are helping your teams upskill and do that. And I look for that. And that goes a long way for us.

Obviously the tech is incredibly important and super important, but when you get the [00:22:00] combination of both, and there are a number of really big vendors out there that are doing it well, a lot of new startups are doing it even better.

Jack Kufahl: And, that was another one of those data points in that workforce study document that I keyed on, and that it was later in the study and there was a piece of data there where you know, there was, it was a, Hey, what, you know, how, how do you train or, you know, what would be more meaningful?

And it was part of an engagement and burnout. And I think it was one of the second ones that said. The second most, noted one in the survey, it was something around the lines of, I don't have enough time to learn the tools. Right. And you know that's true. So like when do we mostly train people on tools?

It's like, well, when we're installing something or when we're buying a new module, things like that. And if you think about it, well that's happening all the time everywhere. And that's work. So how are we baking into our 37.5 hours a week of individuals, what is that training time? What's, what do they want?

Not just what we're forcing down their throats. It's like, Hey, we bought this thing, [00:23:00] or, you know, this vendor's doing a so we gotta learn how to do it. There's lots of that, but what do you wanna learn? Because now you're talking about how you're using work time and, that curiosity and that individual workforce interest to pad out their skillset and their resume, not because I want them to become, you know.

You know, juniors to seniors and seniors to leads and so forth and lose 'em or something like that. But the more you support somebody's career, the more they're going to be interested in staying in that environment. Right, and if they leave, then they're leaving for the good reason, right? People do leave the organization, right?

We have really good retention, we have really good employee engagement. All those types of things, we don't pay the best, right? We don't pay the best in southeast Michigan. We pay right around the 50th percentile pretty consistently, so we could be out-priced, but I think people tend to stay because of variety and because of that career.

Support and we want them to leave for the right reasons, right? Are they people wanna, go from being a junior, vulnerability analyst and maybe they wanna hang their shingle out in pen testing. 'cause [00:24:00] pen testing's fun, or, you know, everything's ai, ai, ai. Well, okay, how do we start building people's careers so that they can credibly and legitimately be, you know, get the panel interview based off their resume because of their experience and their tools?

And I think that goes a long. Long way, and as a group of CISOs and leaders and people interested in developing the overall talent pool, how do we make that time and not have it be a burden? You know, bake it into the, the work time. So you don't have 37.5 hours of a vulnerability analyst.

You've got 30 hours of a vulnerability analyst because this professional training is work, and if you prioritize it, everybody wins. Everybody benefits. The tools are used better, the talent's used better, and you're a better boss for it.

Drex DeFord: I think as you, implement a new tool to, well, you know, we all know maybe you, you learn 50% of what that tool can do.

There's still so much stuff that you haven't figured out yet. So that curiosity of like. Becoming a little more efficient, becoming a little more efficient, that starts to save them time. The other part of this is they learn the [00:25:00] tool and they get really good at it. I've had folks on my teams tell me that, yep, the pays okay.

The reason I really love staying here, one of the reasons is that when I go have beers with my friends on Friday night, I've always got the best and most interesting stories about the work that I'm doing.

Jack Kufahl: Right? That was the one thing that surprised me with exit interviews. It's like, oh, you know.

What did you like? What did you not like? Why are you leaving? Tho those types of typical questions and a theme emerged. It's like, oh, I stay 'cause I really like the variety.

Drex DeFord: Yeah,

Jack Kufahl: and you know, that gets back to that don't put extraordinary people in these static roles because that will reduce the opportunity for variety and there's a lot of grind.

Cybersecurity. I mean, God bless people doing third party risk management. It is a grind. Right? So how do you, how do you figure out how to de grind? Right? And that's, yeah, that's a that's time that you know what a vendor ain't gonna help you with. You have to sit down and figure that out and work with your other CISO leaders and leaders outside of security.

Because we're kind of a motley crew. So, you know, talk to nursing leadership. How do you address burnout in [00:26:00] nursing and grind and, you know, what do you do? Any lesson you can learn? There's a big cohort of people that care about this inside healthcare, outside of cyber and outside of it.

Gregory Garneau: I like the idea. I like the idea. And this just goes to a theory of how do we keep people engaged? Let your teams individual contributors, engineers, analysts. Architects own it, right? So you are running threatened vulnerability management. You may not be a manager or a director but I've entrusted you as the senior to run it.

And you get to make decisions. You get to own it. And down to the brand new analysts who we bring on the juniors. Let them have some skin in the game. Let them feel like they, their work matters and they actually have ownership of something and that I have found to be incredibly valuable.

Yeah. We talk about, hey, [00:27:00] take action and take direction. Well, yeah.

Jack Kufahl: A lot of my, my team probably gets really annoyed at this, but, you know, I say a lot of the same things over and over again, not because it's a great trick, right? If you can just say the same thing, you get paid twice. But it's, a lot of leadership is repeating yourself.

When we think about, what is a driving force in satisfaction for, at least the people that I think work really well at Michigan Medicine is this idea of autonomy and mastery. Right, because healthcare and even academic medicine beyond that is a, you know, it's a bureaucratic organism, right? There are layers and there's, I I, one of the things I say is everyone's middle management, right?

You know, so if you're thinking about progressing your career, is it that you wanna be a middle manager? Or is it that you want autonomy and master? Do you wanna be a leader of something? And you know what? Legit, some people wanna be managers, and often those people make the best managers like management as the craft, not as the consequence.

Of being like the senior, uh, you know, uh, logging aggregator sort of person. Uh, but [00:28:00] where do you want autonomy and mastery and how do you start guiding towards that? And that's, you know, the Greg, that's how I lens what you're talking about. It's like, hey, you can, you can have ownership, right? You can express leadership.

The only path to that isn't how many time sheets do you have to fill out? How many employee valves do you have to do, right? That's the management piece, right? I love people who do it well. It's pretty rare to find people who are doing like the HR stuff, well, inside it, let alone cybersecurity, right?

That's sort of the leadership tax in a lot of places. And I think that also hurts retention, right? If you've got bad management, if you've got bad middle management, bad, supervisors, leads, if they're, that's what causes people to leave improving their. That causes a lot of burnout, right?

And, you know, it shouldn't be, and I'm a living example of that. The person who knows the most shouldn't necessarily be the one in charge. You've gotta have an aptitude that, that, in, that you're curious about that yourself, that you want autonomy and mastery around your management and leadership capability.

If you don't want that, that, boy, I would recommend not getting into management inside of it. Healthcare.

Drex DeFord: Let's do one quick lightning round question and then we [00:29:00] will wrap up.

Jack Kufahl: Drax, you're just kind of recording what Greg and I do anyways, what we call up each other. Right,

Gregory Garneau: right. I mean,

Drex DeFord: I love that. So this is, this is your, regular weekly conversation or monthly conversation.

I just happen to be, in the waiting room. You're just kind of

Jack Kufahl: there, man.

Gregory Garneau: Yeah. You're there buddy.

Drex DeFord: This is great. Tell me one thing you've changed your mind about recently.

Jack Kufahl: That's a tough question. Is it, it's something that I change my mind about perpetually. It's one of these things that I have to keep reminding myself about.

'cause it's, and it gets back to this, there's a right and wrong way, you know, sort of thing. And I have to constantly remind myself there's no limit to the number of right ways of doing something. And if you're lucky enough to know there's an absolute wrong way. You know, great. But that's just as rare.

You know, I had somebody on my staff who's just starting out in a leadership role. And, you know, she asked a very interesting question. She said something to the effect of, Hey, would you let me know if I'm going in a direction that you weren't going? And we're doing some, she's taking some stuff over from me.

And I thought about that and I said, you [00:30:00] actually know, because I would, that would pres assume that I knew what I was doing and. I have no evidence of that. Right. You know, you know, sort of idea. And so constantly reminding myself and changing my mind that. Success in cybersecurity is doing. What I think is best I had to remind myself no, you have to create this community of, of people that are gonna follow the data and are gonna follow their mastery and their autonomy.

And the more that I can do that, 'cause you know my department's around 80, 90 people, but I don't have a direct reporting relationship with 80, 90 people. So how do you like express that sentiment? It has to be. Emphatic with the people that directly report to you, and you just have to keep talking about it.

Keep talking about it, you know, and, you know, I guess more, more, more practically, and I don't think this is any revolutionary, uh, idea. V I've changed my mind consistently about it. Vulnerability management is dumb. Doesn't work. Too many vulnerabilities. It's an exercise in integrating with your [00:31:00] CMDB, you know, and.

It's pretty dumb and we gotta do it. And I'm not saying that there isn't good data in there, and I'm not saying don't scan your vulnerabilities, but you know, there's also,

Drex DeFord: that's another one of those, like more than one way to skin a cat.

Jack Kufahl: There is. Mm-hmm. get a sticky note. Figure out how many hours and how many people you're putting into vulnerability scanning.

But then be honest if yourself, how many of those people are actually. Pushing tickets and just trying to make the ticketing system work or the, you know, the integrations work. And then start thinking about how could I redeploy that effort towards taking whatever the vulnerability scanner puts out and starting to put it through a thread interface, right?

And really not worrying about the policy of, if it's a 10, if it's 9.9, you do this. If it's a 9.7 you do that, that this has do. All the good dimensions are in are in threat intel. And if you're not looking at threat intel. You should do it. It is not a hood ornament for rich health systems.

Every health system. Community hospitals. So e everybody should be looking at threat and just moving as [00:32:00] fast as you can away from this idea that a good security program is one that has zero vulnerabilities. 'cause you're just gonna end up lying to yourself, right? Yeah. You're

Gregory Garneau: never gonna get there. And everybody can afford H IEC and their threat intel, right?

In the healthcare space, you should be ingested.

Jack Kufahl: There's resources out there and there's also people in the community. So it's like, I don't know what threat intel is. There's communities and we're all trying to figure this out. I don't think anybody's got it figured out, but healthcare's figuring it out and there's a good community around it, but the faster you can start putting anything, if you've got $5, put a dollar towards threat intel.

Just whatever you can do, just start investing in threat intel using threat as a prioritization engine.

Drex DeFord: I mean, I think it changes. It's the, it's a lot of, this is the maturity part of it too, right? Instead of taller castle walls and deeper, wider moats, we're gonna patch all our vulnerabilities and that's gonna keep us safe.

It really is sort of the reality of like, we can work really, really hard at that, and there's a whole bunch of things that are still coming at us that we don't really know about. So, threat intel and,

Jack Kufahl: well, and you'll just. You'll have no partnership in that, right? Because it isn't made of dumb dumbs.

[00:33:00] Right? So, okay, I got 50 bajillion vulnerabilities. I'm gonna go over to the virtualization guy that's running Citrix and gonna say 99% of these don't affect us because of whatever architecture or, you know, Witchcraft, whatever. Whatever. Whatever goes on in Citrix shops. And. they're right.

And what you've done is you've just spent an incredible amount of time and effort. And if you're not conscious enough to say, yeah, she's right, that's not the, problem you go to Every time we've gone to another IT team with threat and we've explained our model, there's been zero friction.

I mean, it's just like, yeah, we agree that is a real problem. And more times than not, they come back and say, and we know that's a problem, and we could really use your help to get through the, you know, the bureaucracy, the politics, you know, if you need, you need some money or whatever. Right. Type thing.

Gregory Garneau: It's the exposure management stuff that we've

Jack Kufahl: Right, right. That's what they call it.

Gregory Garneau: Right? It's it. Okay, so we'll, go down the threat and vulnerability road for another 30 seconds.

Drex DeFord: Okay.

Gregory Garneau: It's defining. that Which is the most critical for your environment. It's not playing [00:34:00] whack-a-mole with the highest vulnerability.

You know, the tens and the nines and the eights. Are those really exploitable? Are they a Kev? Right? Are they part of the Kev known exploitable vulnerabilities? Do they run in run time? You know, all the things like the worst of the worst. Those are the ones you go after. And to Jack's point, once you do that, then you can say, well, we used to have.

30 people running around patching. Well, we've been able to reduce the number of FTEs institutionally on the IT side, on the cyber side, who are engaged in this exercise. So they can go off and support the mission in other ways. But you're still focused on getting rid of the most critical and the highest vulnerabilities that we know.

Will impact you.

Drex DeFord: Mm-hmm.

Gregory Garneau: That's, that's one of the, and okay, so I, I changed my mind on TBM versus CE, so that is something I've done over the last year. Right. So the whole idea of vulnerability management versus exposure management that's kind of one of the things. So [00:35:00] Jack, thank you for doing what you always do.

Jack Kufahl: That's where we're at, right? I forget what the words are, but that's.

Drex DeFord: I love it. You guys, you guys have effectively taken a lightning round question and turned it into another whole show, so we'll

Gregory Garneau: do that. Yeah, that happens.

Drex DeFord: Hey Jack, Greg, thanks for show today.

Gregory Garneau: Happens when we get bourbon in us?

Jack Kufahl: Yeah.

Gregory Garneau: Oh,

Drex DeFord: that is soon. We'll figure that out. Jack and Greg, thank you guys so much for being on the show. I really appreciate it. I hope I get to see, I know I get to see Jack soon. Hopefully I get to see you too Greg, really

Gregory Garneau: soon. Yes, we'll work on it. Thanks, Jack.

Jack Kufahl: Thanks.

Drex DeFord: Thanks for joining on UnHack. Remember, we're not alone in this. Every healthcare leader needs a community to lean on and learn from. Join our community at this week, health.com/subscribe and share this not only with your security crew, but with your entire leadership team and staff.

Together we are stronger.