Cybersecurity Effectiveness Podcast

back to podcasts
Listen on:
Subscribe:
stay up to date

Colby DeRodeff

Financial services tend to have larger cybersecurity teams than in healthcare because they’re seen as protecting cold, hard cash, right? But I think that if you look at it you're talking about some Fortune 10, Fortune 5 level companies here that have extremely critical information that they're protecting. And obviously they're protecting information about us. You and I, and our parents, our brothers, sisters, friends, etc. So, cybersecurity is mission critical.

Colby DeRodeff is Chief Technology Officer at Verodin, where he is responsible for driving the company’s technology strategy and supporting the rapid expansion of its Security Instrumentation Platform (SIP).

Brian Contos:                

Welcome to the Cybersecurity Effectiveness Podcast, sponsored by Verodin. The Verodin Security Instrumentation Platform is the only business platform for security that helps you manage, measure, improve, and communicate security effectiveness. I'm your host, Brian Contos, and we've got a very, very special guest today. Joining me is Colby DeRodeff. Welcome to the podcast, Colby.

Colby DeRodeff:            

Thank you, Brian. How are you today?

Brian Contos:                

I'm doing well. I'm doing well. Hey, thanks for joining and you know what? Before we jump in, I know we've got a lot to cover. Why don't you give the audience a little bit of background on yourself and your journey and what landed you ultimately as CTO of Verodin.

Colby DeRodeff:            

Sure. So, basically,I've been doing cyber for about two decades now. It's something that I have a lot a passion for. I think it is a nonstop excitement type space. So, I just think that the challenges that we face as practitioners, and as inventors, and entrepreneurs in this space is very exciting and lots of challenges to overcome. Obviously, as we get better at security the bad guys get better at deception and getting around controls that are in place, and I started my security career at a company called ArcSight where, Brian, obviously we met and had a chance to work together there and ArcSight was great. It taught me a lot about the different tools that organizations are using to get visibility into security threats. From there I went to a company called Silver Tail.

Colby DeRodeff:            

Silver Tail was basically focused on visibility and fraud detection in the transactional space.Then I co-founded a company called Anomali that was really focused on the external threat and providing visibility into what the adversaries are actually doing out there in the internet, out there in the world. So, for me, I guess you could sum it up saying I feel like I have built three mousetraps, so to speak. And what was exciting to me about Verodin and obviously beyond the chance to come back and work with some people that I've worked with in the past that I have a lot of respect for is the ability to then go back and see, "Are all these mousetraps that we have working?" Right? If you look at security as a constant cat/mouse sort of game it's the first time I've heard of an opportunity to actually see if those traps are working, and I just thought that was something I couldn't pass up and I'm excited to be here and happy to be part of the team.

Brian Contos:                

Yeah, well we're happy to have you and well said. It's great to have a mouse trap, but if you don't know if it's working or not really what's the point? And we met about, I guess about 16 years ago is when we first started. That's when --

Colby DeRodeff:            

You're making me feel old, Brian.

Brian Contos:                

Me too. That's when ArcSight...And, essentially, we were in Sunnyvale behind what pretty much looked like a dentist's office at the point, and SIEM wasn't even called SIEM and it was an awesome solution, a very timely solution and still continues on. And SIEM continues to be important part of people's programs, but it certainly was one of the harder solutions out there, SIEM in general, to not just configure but to keep on running efficiently, effectively and providing value. It certainly requires care and feeding and --

Colby DeRodeff:            

It's a very complex system, right? And a lot of these security platforms are very complex and you look at systems like SAP or Oracle financials, systems like that. Organizations dedicate resources to running and operating those types of platforms because they are so complex and security should not look at the problem any differently, right? They need to dedicate the appropriate amount of resources and you're right. It is hard to see if your SIEM is getting all the logs. Obviously, it's getting some logs because you're going to see them popping through the screen, but is it getting them from the firewall that's configured over in APJ? Or is it getting the logs from the IDS that's in Brazil or what have you? It's really hard to know that. Even beyond that I think it's you have a lot of security vendors that are talking about the next new shiny kind of thing and how they're... The new thing that they have built is going to detect this new threat, and there's really hard to validate whether that's actually going to work.

Brian Contos:                

Yeah. To me, I think it's all about proof. You know? If you go to the accounting department in a company and say, "What are our accounts receivable? What are our accounts payable?" They're going to have a very specific empiric number for you. If you go to the security team and you say, "What's working? What's not?" There's a lot of assumptions based on that and it's nice to actually start to measure cyber just like we measure other strategic business units.

Colby DeRodeff:            

Yeah, absolutely. Absolutely.

Brian Contos:                

But you what? Let's get to our main topic here. You and I – and especially you –  have worked very closely with a lot of healthcare organizations, and I'm talking about healthcare payers, and providers, and sciences. It's a challenging space for cyber within healthcare, but why is that? What is it about cybersecurity that's so challenging for various healthcare payers, providers and sciences?

Colby DeRodeff:            

Well, I think it is an extremely large vertical, right? You also have the pharmaceuticals and, like you said, the sciences and the payers, providers, the hospitals, etc., and the device manufacturers. So, it is a very broad spectrum of companies to begin with, right? Some of those companies probably don't really come from a background where cybersecurity was at the core. Now, the other thing that I think a lot of folks don't realize is that healthcare organizations in a lot of cases are not so dissimilar from very large financial services organizations. You look at some of the payers and the insurers, you have extremely large complex organizations. You look at very large provider organizations where they have hospitals in multiple states, multiple cities within those states and you really trying to control access to data.

Colby DeRodeff:            

Obviously, healthcare records, patient records is extremely sensitive information and that data also needs to be very readily available to doctors, and to pharmacies, and to folks that actually need that data in order to make what could potentially actually be a life or death decision, right? So, you have to balance the controls that are in place with the access that's needed, and in some cases that access can be super critical as we discussed, but I think these are... A lot of people sometimes I think maybe don't realize exactly the gravitas of healthcare and how big these healthcare organizations are. And I mean, I've worked with the biggest in the world and I think that for me personally even getting in and really understanding how those businesses operate, and all the different tentacles that are out there from these organizations. It does become very complex.

Brian Contos:                

Yeah. I did a webinar I guess a few months back with Frank Kim. He's a director over at SANS, but he used to bean executive with Kaiser Permanente on the cybersecurity side. One of the things that I thought was really interesting is most healthcare providers, so we'll just talk about the hospitals and related organizations like that, they start at roughly about a 30% deficit because they can't refuse care. So right off the bat they know they're losing 30% off the top before they even start to get to that break-even point.

Brian Contos:                

So, when they're starting to look at things such as patient care and patient experience, and that's a very broad term, that can be everything from wait times in line, to the actual service that you get from nurses and doctors, to now cybersecurity and your profit. When they're looking at these things it comes down to balance because every dollar I spend in cybersecurity I'm not spending on a new MRI machine, or hiring a new doctor, a new nurse, or new nursing station systems, or pharma systems, what have you. So, when the core of your business is patient care and yes, cybersecurity is a piece of that now it's very much a balancing act and you said there's similar to financials. One of the things that I've noticed is financial services almost always have much, much larger cybersecurity teams than you see in healthcare. Is that something similar to what you've seen? It just seems like they've got the same risks, they've got the same concerns, but they might not necessarily have the same bench.

Colby DeRodeff:            

Yeah, no, I would agree and teams, budgets, etc.  

Brian Contos:                

Yeah. Well, you can always replace a credit card. Once your healthcare data's out there it's... Potentially it's out there, right? So, let's talk about what steps they're taking now. What are the steps that healthcare organizations are actually taking to remediate these risks? Knowing that they're very large companies, very complex, patient care is critical, they might not have as large of a bench, but they're investing in cybersecurity and they're investing heavily. What are they doing? Where are some of the top areas that they're focusing onto remediate these risks?

Colby DeRodeff:            

Well, I think there was a wake-up call, if you will. I think probably right around 2013/2014 when there were a series of breaches in the healthcare space. I know those were probably close to most people. I'm sure lots of people have gotten letters from some of those. There's no need to talk about names or anything like that, but there were some breaches and I think that it really was a good wake up call for folks to really take a look at what are they doing? And I think that, you know, not only take a look what they're doing, but take a look at why the adversaries are targeting healthcare specifically, right? So, I think a lot of work was done looking into why these particular threat actors are going after the healthcare space.

Colby DeRodeff:            

Now, once you know your enemy you can actually do a little bit more to actually protect yourself, right? From that enemy. So, they started looking at the tactics that were being used and what kind of techniques the adversaries were doing, leveraging and not surprising probably to you, or to me – or to most folks that have been around awhile – sometimes it's still very basic techniques that are being used, like phishing, right? I think most of the breaches that happened could be attributed back to phishing in that timeframe that I mentioned earlier. Phishing and malware, right? So, use the phish to get the malware in, lateral movement and go from there, but what I've seen a dramatic growth in, in the healthcare space is around the NH or now known as the H-ISAC. The information sharing and analysis center for the healthcare space.

Colby DeRodeff:            

This organization has done a lot to bring the community together and really put an emphasis on sharing threat information as it relates to not just the healthcare sector, but primarily focused on threats that healthcare is seeing. And I would say I've been involved in a lot of different ISACs. The aviation ISAC, the IT-ISAC, FS-ISAC of course, and a lot of state sponsored H-ISAC globally. Different countries like the UAE and Switzerland, et cetera, but what I've seen in the healthcare space is a very active sharing community. I see threat intelligence teams from various organizations really putting it all out there and sharing threats that they're seeing to their organizations, and honestly I think as an industry through collaboration is really how we ultimately turn the table on the adversaries because it creates a force multiplier, right?

Colby DeRodeff:            

You got all these security guys but they work at different companies. Well, the bad guys got a whole bunch of guys that are willing to work together and they don't have lawyers and policies saying you can't do this and you can't do that. They're just doing it. They're buying and selling malware and account IDs, and everything else, you name it. But getting our guys, the good guys, to actually be able to work together, collaborate, share information about the adversaries that means yeah, somebody may get attacked first. But if I can take the data from that and share that with the folks that are potentially going to be impacted next they can set up and make sure that their defenses are in place so that they won't be potentially a victim of the same adversary. And I am seeing this more so in the healthcare space than any other vertical.

Brian Contos:                

Yeah. That's really great to hear because I know there are a some ISACs where a lot of organizations that are involved hold a lot of data close to their chests. It's sensitive and they're just unsure if they want to share it, with whom they'd like to share it, when they'd like to share it, how much they'd like to share. There's a lot of questions that go around with that which means that the people that share a lot might get frustrated with the people don't.

Colby DeRodeff:            

Right.

Brian Contos:                

So, if it's the open bi-directional communication, right? And you're giving and you're getting it, it tends to work better, and when I think of healthcare providers I think of they're concerned about regulatory mandates, HIPAA and high tech and PCI andSox and DPD and all this and as well as PII and sensitive data protection. When I think of payers I think a lot about application specific attacks and fraud. And, of course, in healthcare sciences there's IP theft, which is of course a huge one if you're thinking pharma. Then they also have a lot of specialized devices, medical systems, SCADA devices, things like that. So, they all have different concerns and issues that they want to focus on, but at the end of the day people are using phishing attacks. People are using various methods or various types of malware that are targeting just healthcare in general. So being able to share that amongst each other just makes fantastic sense, and I liken it to some of the InfraGard groups as well. You said some of the ISACs are a little bit better than some of the others in terms of maturity and sharing.

Brian Contos:                

InfraGard guard, I see the exact same thing. There's some InfraGard chapters, which I think are really, really plugged in and the FBI is working very closely with the commercial organizations, and there's a lot of sharing and it's back and forth. Then there's some other groups where they haven't really quite clicked yet so it tends to be regional. So that's fantastic to hear on the ISAC, and I'm guessing the healthcare ISAC must be massive. Probably one of the larger ones. I don't know if it's as big as FS-ISAC, but I think it's probably one of the larger ISACs out there, isn't that right?

Colby DeRodeff:            

Yeah, I would say probably FS-ISAC is the largest that I've worked with, and I would say thatH-ISAC is right behind them and that's probably just a pure numbers thing.

Brian Contos:                

Sure. So, what steps should healthcare and we'll just talk very generally across all three categories, but what steps should healthcare be taking that you don't think they're not really quite there yet. They haven't arrived at that point or they haven't made that investment step. Where are the things that they should be doing, but they're not quite doing it yet?

Colby DeRodeff:            

Well, I don't know if it's healthcare specific, Brian. I think there's a lot of steps that probably organizations across any sector should be taking that are not necessarily happening, but I think when you look at the top tier healthcare companies, right? You're talking about Fortune 100 type companies. I think they're taking a lot of the right steps. I think what happens is there's a lot of dependency on organizations that maybe are not taking all the steps, or security's newer, or less funded, less budgeted, et cetera. But I do see quite a ... What's the right way to say this? I see an emergence of really top notch CSOs coming into the healthcare space for about the last 10 years or so.

Colby DeRodeff:            

Maybe it's because I didn't know any of them before that. So, I don't know. The ones I've seen coming into this space in the last 10 years or so, when you're talking about top-notch guys and gals that really have a read on it and they're coming into a space that I think they know there's challenges, but they're coming in with the mindset of resolving those challenges, right? And figuring out where the industry is being targeted, and I also see a lot of those CSOs involved at the ISAC level, right? And I think that it's putting your money where your mouth is, right? You can't talk about all this stuff and then not be there and be involved, right? So, I think it's great to see that.

Brian Contos:                

We often hear, and this is across all verticals, that it can sometimes be challenging for a CSO or whoever happensto be running cybersecurity. It's challenging for them to make their case to non-technical non-security business leaders, executives, board members, individuals like that. Do you think that healthcare executives, the non-technical non-security executives, they understand their risks now? This would probably be a much different response if I asked you 10 years ago, but is there awareness that yes, cyber is important, it's an area that does impact the patient experience, it's something that could impact our brand, it could impact revenue, et cetera, et cetera? Or is that still a bit of an uphill battle as it is with some other verticals today?

Colby DeRodeff:            

I think it's becoming a pretty mainstream. I think I've even seen executives at some of these conferences that are not even in the technology side of the business. They're coming to just learn and see what's going on, and so I do think it is getting ... It’s probably getting a little bit easier. I don't want to speak on behalf of one of the folks who has to go in front of the board and ask for the budget approvals to implement their security programs and whatnot, but my guess is with ... The more things are in the news, right? You hear about these breaches, and you hear about data loss, and customer data, patient data, et cetera. You hear about these things. I think every time that happens the fact that there is publicity around it doesn't hurt in the educational process of folks that are not really tied to the technology side of the business, right? I think every time they see the Equifax's or whatever the case may be, right? We say we all see them in the news. We see the same stuff.

Colby DeRodeff:            

So, it brings awareness and lets the other executives really have some empathy for the team that's trying to protect the business, right? So yeah, I think they're probably getting a better idea of the impacts, especially at the CEO and board level.

Brian Contos:                

Yeah, think across the board I'm seeing that. People aren't looking at cyber risk from the perspective of cyber risk anymore. They're looking at it from what's the financial risk from cyber in dollars or efficiencies? What's the impact to my brand? And I think that's the right way to look at it because I truly believe that cybersecurity is a strategic business initiative and it should be treated like other strategic business initiatives. Measured like they are, managed, monitored, etc. So that's great insight, Colby.

Colby DeRodeff:            

That's right.

Brian Contos:                

So, Colby, final question as we wrap up here, and this is something we like to ask all our interviewees that come on the show. Who's your favorite superhero or super villain and why?

Colby DeRodeff:            

Oh, well that's off topic.

Brian Contos:                

It has to be a healthcare related superhero.

Colby DeRodeff:            

A healthcare related superhero. Well, let's see. I guess if I had to pick one I really likeDeadpool. I think I always like the underdog and he's just super. He's not a hero, right? It's not about being a hero, it's about getting the job done and I like his expression maximum effort. Which is I think in this space with what we all do you got to put maximum effort into these things to stop the adversary. To get out there and make the world a better place through security. So yeah, I've got to go with Deadpool on that.

Brian Contos:                

Yeah, and just to be clear, this program is not sponsored by Ryan Reynolds but, no, I think ... Who doesn't like Deadpool? I think that's a great one.

Colby DeRodeff:            

Yeah, plus he's got some good lines and they're pretty funny.

Brian Contos:                

Well, thanks Colby, and thanks for our listeners for joining and be sure to check out other CybersecurityEffectiveness Podcast, sponsored by Verodin.

download transcript (PDF)
back to podcasts
Follow:
Subscribe:
join the list
X
Business Need
technology
company
resources
blog