Cloud Security Today
The Cloud Security Today podcast features expert commentary and personal stories on the “how” side of cloud security. This is not a news program but rather a podcast that focuses on the practical side of launching a cloud security program, implementing DevSecOps, and understanding the threats most impacting the cloud today.
Cloud Security Today
The future of cybersecurity in healthcare
Episode Summary
Corey Elinburg, a cybersecurity leader, discusses the importance of approaching cybersecurity as a transformational force and empowering the business. He emphasizes the need to avoid draconian controls and adopt a mentality of finding solutions rather than saying no. Corey also shares insights on hiring security leaders and building relationships with vendors. He highlights the value of cloud-based security services in rapidly aligning IT with the business and shares examples from his experience. Corey emphasizes the importance of digital trust in healthcare and the need to prioritize patient safety. He also discusses personal growth and staying up to date in cybersecurity.
Takeaways
- Approach cybersecurity as a transformational force that empowers the business.
- Avoid draconian controls and focus on finding solutions rather than saying no.
- Embrace innovation and set the terms of adoption to drive business transformation.
- Build trust and empower your team to enable scalability and focus on strategic initiatives.
- Cloud-based security services offer agility, scalability, and rapid alignment with the business.
- Build relationships with vendors by understanding their value proposition and engaging in problem-solving.
Chapters
· [02:10] Kind words about Corey.
· [03:13] Transforming business through IT.
· [05:20] Where security programs go wrong.
· [06:35] Corey’s hiring persona.
· [07:50] Embracing innovation.
· [14:26] Principles to accomplish your vision.
· [17:20] Cloud-based security models.
· [23:55] Bringing value to businesses.
· [28:09] From practitioner to leader.
· [33:41] Unifying security and developers in purpose and practice.
· [38:15] Implementing digital trust.
· [41:28] Corey’s growth formula.
· [42:53] Corey’s parting words.
Notable Quotes
· “It’s not just controls. It’s empowering the business to operate in a resilient way.”
· “Too often in cyber, we forget that we’re selling in every interaction.”
· “When you engage trying to solve a problem rather than engage trying to sell a product, you’re immediately on a better footing.”
Relevant Links
Website: www.commonspirit.org
LinkedIn: Corey Elinburg
The future of cloud security.Simplify cloud security with Prisma Cloud, the Code to Cloud platform powered by Precision AI.
Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.
[00:00] Intro: This is the Cloud Security Today podcast, where leaders learn how to get Cloud security done, and now, your host, Matt Chiodi.
[00:15] Matt Chiodi: This month, we welcome Corey Elinburg, the CISO of CommonSpirit Healthcare, to the Cloud Security Today podcast. Now, you may not have heard of CommonSpirit health, but they are a huge nonprofit Catholic Health System, dedicated to advancing health care for all people. This is a massive organization with over 175,000 employees, 25,000 physicians, over 140 hospitals, across more than 2200 care centers, serving sites across 24 states. As you can imagine, this is a huge attack surface to protect, and Corey talks about his approach. One thing that I have loved about Corey, as I get to know him better, both on the podcast and also from a vendor perspective, is his humility and how he brings this into his work as a security professional. One thing I want you to listen for in the podcast today is how he infuses it into his leadership style, but then also, the thing that I loved was how he talks about how Cloud-delivered security services actually help you better and quicker align to the business model, from an IT perspective. This is not a view that I've heard expressed often, but I think it's one that, if you are a practitioner who's looking to build a business case for moving more of your security services to the Cloud, this is something you should listen to.
If you love the podcast, please pause it right now, and give us a five-star review wherever you listen to your podcasts. Thanks so much for listening.
Corey, welcome to the show.
[02:05] Corey Elinburg: Well, thank you, man. Appreciate it. It’s my pleasure to be here.
[02:07] Matt: Awesome. Well, I’ve got to say, I was looking at your LinkedIn profile as part of the show prep, and I was just immediately impressed by all the kind things that your colleagues have said about you, and I want to read one, in particular, because it really stood out. So, the quote said, “Corey leads by example. He is an empowering, vulnerable, and empathetic leader, who creates synergy in each interaction. The leaders around him are stronger because of his trust and empowerment of them. He provides energy to others and inspires everyone to achieve results joyfully. He has significant experience, a love for serving, and an immense passion to transform the business through IT,” and then they have in parentheses “with security controls, obviously. He is a leader to emulate, and I am grateful to work with him at CommonSpirit Health.”
So, first of all, that's just amazing to have any colleagues say about you, but what really caught my attention was the point around an immense passion to transform the business through IT, and security has not historically been seen as transformational to the business. Sometimes, quite the opposite. How have you approached this and put this into practice?
[03:33] Corey: Well, I think there are a couple of ways. It is sometimes difficult to think about cyber being transformative, because so many of the capabilities that we deploy are hidden and behind the scenes. For those pieces of the estate in cyber, I think what you've got to do is help the business understand that it's not just controls. It's empowering the business to operate in a resilient way, and we actually provide not only the confidentiality and integrity of data, but we’ve also got to remember that we're helping provide the availability of the business. We are assurance of availability for the business, and that's empowering and transforming. I think, the other part, though, is that we do occasionally interact with the user in a very in-your-face way, and Matt, this is the space that you work in today and are familiar with, and that is identity. Identity is very much right in the face of the user every day, and so providing solutions, especially as we're moving into this modern era of things like passwordless capabilities, doing away with the difficulties of multiple passwords, providing strong password management capability for external sites where people do work, because maybe, I'll use an example of a vendor website. They're not going to offer SSL for the vendor website. So, how do we have a secure way to store those passwords, etc.? So, those are very empowering things, and they can add delight to the user and not just be a control that may seem to be in their way.
[05:19] Matt: Where do you see most, or let's not say most, but where do you see some security programs, maybe taking a, maybe not call it a wrong approach, but maybe not an empowering approach? Where have you seen organizations go wrong with their approach, from a cybersecurity perspective?
[05:37] Corey: Well, draconian controls, obviously, are one of those. A lot of it is about your mentality, though, and really, the approach you take, from a mentality perspective, from your program, will become infectious, and I always try to push that we are not the shop of “No.” We are the shop of “how?” and I always like to say it's really important, as a CISO, to get every one of your leaders underneath you, to the point where they don't feel like they say “no.” They want to say “how?” but that means you’ve got to put your big boy and your big girl pants on when you sit in the conversations, because it's easy to come in and just tell someone, “that doesn't meet the security requirements.” It's very difficult to understand the entire ecosystem you're working with well enough to solve for a way to do it effectively.
[06:34] Matt: Is there a certain persona that you look for when you're hiring security leaders, or is this something that you can develop? How do you look at that talent side of that?
[06:47] Corey: There is a persona I look for. I'm not saying it's this persona in every single scenario, but I really like a sales engineer persona. I think, too often in cyber, we forget that we're selling in every interaction that we have. Sometimes, people may not understand that they're selling because they don't know what they're selling in each one of those interactions, but sales engineers tend to have the ability, first of all, to listen, to contextualize their answer, and they understand that when they give an answer, they're trying to not only build trust and rapport, but they are trying to sell something that's supposed to be accomplishing something bigger. You have to leave every room not just winning an argument. You have to leave every room with another friend, with a stronger alliance, etc., and so I think that's inherent. They have to do that to survive.
[07:49] Matt: I want to read from a CSO Online article that you were quoted in, way back in 2016, and it says, “many organizations are concerned that overly restrictive security practices will stifle innovation. That's why security teams, ‘must be unified in purpose and in practice, and with enough IT innovation teams,’ said Elinburg. His advice to security leaders: ‘don't resist that. Embrace it. Become the innovation leader, so you can set the terms of adoption, not struggle to manage the terms that were set for you.’” Give us an example. What does this look like, in practice, in a large organization?
[08:32] Corey: I'll give an example of something that we're doing in our environment. I typically don't talk too much about what we do in our own environment, but I will give an example here. There's a new class of products that are out today, called enterprise browsers. I won't name specific vendors, but they're really creating some game-changing capabilities. From the cyber perspective, if you have three, four browsers deployed, and we often seem to find ourselves in positions where we have to do that, because there's some legacy application somewhere, and that application requires, IE, as an example, and then there's this other legacy application over here we bought, and it has this browser requirement, and then on top of that, it's difficult to manage those legacy browsers when you really want to apply the appropriate security controls, like browser isolation, etc. Oftentimes, you end up buying an overlay product and have to put the plugins in, and the list goes on and on.
So, these enterprise browsers are becoming interesting, first of all, because of the strength that they've brought to the table for browser emulation. So, now your user can have one browser, and when they go there, they can be very familiar and offer the capabilities they want. You can brand it. You can give them your own company's experience there. It can be your company's browser, not Microsoft's browser or Google's browser, etc., and so I think that's impressive, but the other thing you can do is tie things together for great and unique workflows. Some of these products offer robotic process automation to help take the same number of keystrokes away from the user and diminish that and give them a better experience. Then, while offering many cyber capabilities, like controlling copy and paste, even between tabs in the same browser.
So, really interesting capabilities, in terms of granular controls, but have that option to bring some delight to the user and allow us to save problems for our other IT innovation teams, because the desktop team does not want to manage three browsers. The vulnerability management team does not want to patch three browsers, and the list goes on and on. So, it saves from operations, gives better user experience, but as a cyber person, if all you cared about were the controls, you would come in there and just say, “well, we can do this, and we're going to turn this on, this on, this on, and here's another thing you have to manage, another thing you have to manage.” So, I think embracing innovation and not just looking at your security requirements, but let's go in thinking about the user requirements and the solution requirements, and be a part of the solutioning, not just a part of placing the controls in place.
[11:34] Matt: How do you get in front of that? I think, because I've been a part of many large companies, cybersecurity programs, and they seem like they're almost always on their back foot just responding to the business and feeling like “man, I'm just never going to catch up.” So, how do you get yourself into that proactive place where you are setting the terms of adoption and not, as you said, struggling to manage the terms that were set for you?
[12:01] Corey: Well, part of it is really having a strong team and trusting the team that's underneath you. If I was spending all day, every day micromanaging the myriad of tasks, programs, and operations that my cyber team runs, I would have no time to be doing that, and providing that, but because I trust my team, because they do such a great job, not only in their tower, in their vertical, but they partner so well across IT verticals, it allows me to be working with my peers. So, it allows me to work with the CTO, it allows me to work with the leader of enterprise applications, it allows me to work directly with the business, and by doing that, I understand and know about things prior to them being deployed, and so we can prepare, I can inject my architecture team early so that they're there and the part of the solution. Now, does that happen every single time? It doesn't. I think, until you take P cards away from every member of the business, you'll never completely get away from something being purchased without participating in it, but anything that goes through the standard process for approval, etc., we're there, and not only are we there, we get to be there in the imagination stage, not just in the solution stage, and maybe that's a key thing to take away. As a CISO, you've got to be out and about, and not just with your head down in your organization, because if you're not, you're going to be past the imagination stage before you find out you're already going to be into the implementation stage.
[13:47] Matt: Sounds like there's an element of proper planning. Also, a certain amount of trust that you've built within your own cyber team, in terms of letting your leaders lead, trusting them that they're going to do that, obviously having the right levels of check-ins and accountability there, but then that gives you, if I'm hearing you correctly, the freedom, as a leader, to be able to go out and make those relationships across the business so that you're hearing about things, like you said, during that imagination phase, where things are still creative, and things are still flexible. Does that sound about right?
[14:24] Corey: It is, and maybe I'll add one other interesting thing that I think is important. Almost going back to the sales comment I made before, you're always selling something, and as a CISO, I think you've got to have a bigger vision and mission that you're trying to accomplish, and that may be different for every organization. Every organization is at a different place in its lifecycle and maturity, etc., and so it's probably going to be different. We have a variety of things that, I consider them almost religious principles, in the way we design and the way we think, etc. I'll name just a couple of them off. We should not buy solutions that require us to spend more than 10% of the time managing the platform, and therefore they allow us to spend 90% of the time extracting value from the platform. That's a hard and fast rule.
You can tell, probably, we like SAS solutions as a result of that, because I get no value paying a highly compensated identity and access management engineer to be patching an application on a server. It makes no sense why we would do that, from a platforming perspective. So, the other thing that allows, I can have a small platforming team that can handle many platforms, and so it really gives us scalability. We've got five or six of those types of principles, and when you have sold those to your team, and your team are on board, and they are going and evangelizing them, then you don't need to be in every meeting, and they go and create converts, and I think it's important to have that vision, and to have it very well sold, because that allows you to scale in a way you're not going to be able to scale otherwise.
[17:20] Matt: I know that you're a big proponent of Cloud-based security services. You mentioned SAS, but I think you look at it, is a way to rapidly align IT model with the business. Unpack this maybe a little bit more for us. Maybe tell us a story that illustrates why this works, versus the on-prem model.
[17:39] Corey: Well, in my current role with my current employer, we are highly acquisitive, and we partner with a lot of joint ventures, and so in that model, it becomes very difficult to integrate acquisitions, as you can imagine, especially, we're in healthcare, so everybody says, “well, the integration work is hard everywhere.” It is. It's really hard when it's hospitals that you're integrating, and you're thinking about potentially changing the workflow that every nurse uses, because you're now changing the technology tools that are there. You want to minimize your impact on patient care, and all of those things come into play, and from a cyber perspective, the ability to deploy your tooling rapidly is really important. So, when you think about what that used to mean, for us, the first thing you had to do, before you could really do any cyber integration work is, you had to have WAN connectivity, because you can't manage anything if you can't talk to it, but why do you want to establish WAN connectivity when you don't have any of your security controls in place and you don't have visibility into the controls that they have in place or their effectiveness? So, it's this vicious cycle that you get in.
So, by moving so many of our controls to Cloud, we literally only need our acquisition to have an Internet pipe. Once you've got an Internet pipe, we can send their logs to our sim. We put them on our EDR platform, which we can manage from the Cloud. We put them on our vulnerability management platform, which we can run from the Cloud, and the list goes on and on, and on. Email security done in the Cloud. Change the DNS, point it to the new place, you’ve fronted their email security. So, we don't have to have them on our email platform to have them on our email security platform, and so it just gives us this agility to adapt to the business rapidly and get our controls deployed rapidly, and then even if the rest of the IT environment has not been integrated, we have unified incident response model then, because we've gotten all of our controls in place. So, I think that's just one example of if you come into an organization that's highly acquisitive, and you're still thinking about all on-prem controls, you might not be aligned with the architectural model. Not saying that in every case, but just a different way to think about it and say, “Does my technical model really aligned with what the business is trying to do?”
[20:34] Matt: I think that's powerful. I've worked with many different clients, but I'm thinking of some of my clients that are in banking and finance, and how they've done acquisitions that are sometimes years in the past, and they still haven't integrated because of security concerns. I've seen this happen a lot in industries that are highly regulated - healthcare, financial services, and there just seems like there's this big resistance to change. A lot of it, again, stemming, I think, from regulations, perhaps, and many leaders that I have worked with, they just struggle with convincing their leadership to move to a Cloud-delivered security services model. How would you recommend, maybe, going about and building that business case?
[21:24] Corey: Well, it's not an easy one to build, depending on the industry that you're in. Every company in every industry tends to have a finance model, and industries that are, I'm going to describe as asset heavy. Industries that are asset heavy tend to want to capitalize anything that they can capitalize. So, if you want to start looking at more of a cashflow model, or an OpEx model, that becomes very difficult to do, and you have to understand that you're asking, now, your finance team to support two models. Now, you're bringing more work on them, but I do think, if you can help the business understand some of those things that we were just talking about. Yes, this may actually cost more, or maybe this sits in a different spot on the balance sheet. Maybe this now hits on the OpEx bucket rather than on the CapEx bucket. However, have you considered the value that it's bringing to the business that you didn't have before?
So, maybe one of the biggest things I would say, and I don't know who to attribute this quote to. I know, it was actually an aftermarket car parts manufacturer, but I don't recall which one, and it's a very simple value equation. Value equals the number of capabilities, times their quality, divided by the cost, times the time to deliver, and the reason I like that is, if we can start measuring in value, you notice cost was considered a negative. It was in the denominator, not the numerator. You could have a very high cost, but if the number of capabilities and the quality of those capabilities are extremely high, it makes the cost not look so bad, and that's especially true if the time to deliver is low, and I think that's the way, as we make business cases, we should think about them. We should not be coming to the business just with cost. We should be coming to the business with value, and value is not separate from cost. Value should already be including cost in its calculation.
[23:54] Matt: Let me ask this. So, obviously, part of that equation is going to be working with a vendor a lot of these times, because they're the ones providing that Cloud-delivered security service, whether it's email security, anything like that. I can tell you, from a vendor perspective, now that I've been on the vendor side for a couple of years, we're constantly looking at, how do we better talk about the value that we bring to a business? Part of the challenge that any vendor has is, you're working with a number of different companies that are in unlimited number of different businesses. In terms of, from a vendor perspective, helping explain that value, how do you look at that? So, you said, talking about the value part of it, with you on the inside, talking to the business, how do you work with vendors to try to capture that value? What do you see as that relationship being?
[24:45] Corey: So, this will be interesting, because you and I have engaged in some of this practice already. If you've met one CISO, you've met one CISO, in terms of how we like to engage. I do think you can categorize this into three major buckets, though. There are those who just don't want to talk to a vendor, ever, under any circumstance. There are those who will engage with vendors under the right circumstances, but they don't want to develop a relationship, and I'm careful to use the term partnership, because we might have a lawyer on the call, and then we get into conversations about shared liability, etc. So, maybe I'll loosely use the term, partnership, and then you have those that really do want to partner. They want to have you integrated, etc. I think, typically, the ones that really want to partner, they don't like cold calls. They have certain circumstances. The first way they want to meet a vendor is through their own network and the group that they tightly collaborate with.
There's a close network of CISOs in healthcare. I'm sure in every industry, and when I have a problem and I don't quite yet know where to turn to get the answer, I don't turn to the vendors first. I turn to my peers first to see what experience they have, and they, many times, will not only bring a product recommendation, they'll bring a lot of learnings that they learned along the way, and that puts me in a better position when I do engage, and so if you can find ways, over time, to get yourself inserted into those networks, that is naturally going to be a way to bring you into conversations. Another place where I look for vendor connections, initially, Gartner, a number of years ago, purchased a company called Evanta, and I love their engagement model, because you will go to a meeting with your peers, they let the CISOs in the geographic area drive the agenda based on what's important to them, and you will have one or potentially two vendors that will come, but the presentations are really not allowed to be product pitches. They have to be more focused on the specific business problem that we're trying to solve, and then if you want engagement after that, and the conversation intrigues you, you have the ability to do that.
When you engage trying to solve a problem rather than engaging trying to sell a product, you're immediately on a better footing, but you also need to understand who you're engaging in the organization. That's definitely true if you're engaging me, but if you're engaging one of my engineering managers, that may already be done, and then it may need to be a more tactical engagement. So, I would say, make sure you know who you're engaging in the organization and how involved they are, at the problem level, and then engage appropriately from there.
[28:08] Matt: Earlier on in your career, you had some really deeply technical roles at Cisco, Microsoft, and United Health Group. You even had your CCIE, which is, in my view, one of the most difficult certifications to get. How did you make that transition from security practitioner, someone that's down in the weeds, to leader? What was that journey like? Was it difficult? I guess, the last one I threw in there on that was, would you do anything differently, if you could go back?
[28:39] Corey: A lot of bumps in the road, and it was not a rapid journey. It had a lot of steps along the way. Specifically, in my technical career, it went from being an individual contributor to a manager, to a practice director, and the list goes on and on. At one point, I ran the Dimension Data North America Security Practice, and so there's this process that you go through, and each one of those was an incremental learning step. I'm just going to give you an example of how bad you can screw up your first real manager job. I was made a principal consultant and had a team of consultants working under me, and sometimes needed resources from other regions to support me, and this is not my saying. I'm going to share with you the saying of one of my mentors. His name is Jeremy Hyman. Something he told me and has stuck with me. You've got to learn that there's a difference between engineering principles and engineering preferences, and you are forcing your preferences on your people. That doesn't exhibit trust or empowerment, and so that was an early-stage lesson, and I like to tell stories. So, I'll give you two more big stories along the way, with principles to go along with them.
The other one, I learned from my dad, but I didn't really learn how to apply it until I got much older. My dad was letting me dig fence postholes with him, the hand way, posthole diggers, and I was too young to really help very much at that time, but he let me go be in the way, and we got, maybe, halfway through the job, and of course, I was just down there, pecking around in the dirt, and my dad was doing most of the work, and we stopped and took a little break, and he said, “son, do you know what the first rule of digging holes is?” And, of course, I had no idea what he was talking about, and certainly didn't know he was about to say something incredibly rich with wisdom, but his answer was, “the first rule of digging holes is when you realize you're in one, put the shovel down,” and so I would say that's one of the second big lessons.
Then, the third one came from another one of my mentors, Jairo Orea, and he called me right after I had started at United Health in Optum, and I was maybe two weeks in, getting to know my new team, had some brilliant Cloud security engineers there, and he called me one morning and said, “Do you have oak trees where you live?” This is how the conversation started. “Do you have oak trees where you live?” and of course, I said, “Yes. Big white oaks, red oaks,” and then he said, “what grows under an oak tree?” and I thought about that for a minute, and I said, “Well, really, nothing grows under an oak tree.” When we have them in our yards, we call them an island, and you put the mulch around it, because the grass won't grow. Nothing else will grow. Maybe a few small plants that like low light, you might get to grow there, and this was in the early days of video calls, and there was a very awkward pause, and he looked right at me and said, “Don't be an oak leader,” and of course, what he meant was, if you're an oak leader, you're not letting any of the light shine down to your team, but by letting a little bit of light in, you're going to allow them to grow, and that's going to allow you to scale, and probably the biggest mistake that I had to learn and work through was, I have incredible technical expertise, and I want to use that expertise, but by doing that, I harm my team, and by doing that, I don't allow myself to scale.
So, when you can get to the point that you can let go of that, you can scale to do the things you need to be doing, which is empowering and enabling your team. So, I had to learn and remember that I'm not there to do their job. I'm here to do my job.
[33:41] Matt: You mentioned UHG, but when you were there, you established an extremely close-knit relationship with the business and the developers, that was described as, “security and developers being unified in purpose and in practice.” Tell us, how did you do this? Was there a framework or a model you used? How did you accomplish security and developers being unified in purpose and in practice?
[34:07] Corey: Well, I would say, feeling it out and being able to make a lot of mistakes along the way. That was the early advent, Matt, of DevOps and DevStack Ops. This is when people had not heard those acronyms, at that time, and so what was happening was, we were developing lots of product teams, and truly product teams. Not the product teams we talk about, like we have in IT today, and we call that a product team. I mean, a product team who had its own centralized P&L. It truly was a product, and so, cost efficiency was very important, because they weren't just a capability we were deploying in IT. They were their own cost center. They had their own P&L. Their profitability was important to them, and their efficiency was important to them. Well, you can see, obviously, when it comes to things like provisioning, they don't want to get in a queue for provisioning with IT. They don't have the time to wait for that. Their platform engineering may be making 28 changes and need to do 28 rebuilds in a day. They don't want to wait for the traditional IT processes.
So, we started with simple things like figuring out, how do we empower them, and at the same time, effectively govern and monitor them? That started with a very, I'm going to call it, centralized IT model. We need to change the way we do it in IT, and we did need to change the way we were doing a lot of things in IT, but then over time, things began to change, and the ability to do check-ins part of the way through the process, the ability to empower them with tools like TerraForm and develop immutable infrastructure, and then the ability to lay monitoring on over that, learning that it may not be effective for them to use the same tools that we have as our enterprise standard. Now, this one was a hard one, as a CISO, to deal with, but I'll take vulnerability management. As you can imagine, we had the most expensive tool that existed for that, and it, in my opinion, was the best tool that existed for that, but a new product team might not be able to afford the chargeback for that. Well, did I really care that it was that or did what I really care about was a SCAP compliant, exported format, so I could unify those results, so I still had the visibility and governance, etc., and it had to not only come out in the right format so I could use it and have visibility. It had to come out at the right interval of time, and I had to have it tied with their asset management, so I could know if every asset was covered. So, that put me in a way to govern in a distributed manner. I still set all the policies centrally, but I governed it, and the enforcement was distributed. We had other brilliant talent.
So, I am not the person that did this. I did some things. We had a leader there, named Aaron, who was one of the innovators in beginning of security chaos engineering, and is a thought leader in that space today, and we had great folks on the development team that were willing to work through us and fill it out. So, I want to be sure this is not something Corey Elinburg did. This is something that that culture developed through necessity for business, and because we were willing to be flexible and adapt. Not flexible on having the controls, but flexible on how we got there.
[38:15] Matt: The World Economic Forum and other organizations like ISACA have been talking a lot about digital trust. How do you define this, and how do you put it into practice at CommonSpirit?
[38:27] Corey: Well, for me, obviously, in healthcare, it's the patient, first of all, having enough knowledge, and secondly, understanding enough about you and what you do, and how much you care, that they are willing to put their data and entrust you with their data, and in healthcare, that they are willing to entrust you with their safety, because in healthcare, it's not just about their data. A ransomware breach is definitely an impact to patient safety, and we live in a world today where people have somewhat become callous with regards to the loss of their data. It happens all the time. Almost everybody in America has their personal data exposed somewhere through one of the many breaches that have happened, but we're just in the very early stages of people becoming aware of how much their safety may be involved with cybersecurity, and so I really think we have to make the connection, and so it's not just about technology. Once again, we're in sales. We have got to be selling to our constituency that they can trust us with their data and with their safety.
I'm going to give you an old example, and I'm not going to give the company name or the product, but let's pretend you're in consumer products, and let's pretend you have a rewards program, and in that rewards program, there is a single mother somewhere, perhaps in California, and let's say, it's diapers. There's 20 different companies that manufacture diapers. What would happen if that mother was living on fixed income, living paycheck to paycheck, and it was only those rewards points that allowed her to get the last case of diapers that she needed every month, and what would happen if that rewards program got compromised, and somebody turned what would have been her last case of diapers into an Amazon rewards card and shipped it to some other address. That doesn't provide digital trust. I'd say, the first step of establishing digital trust is even understanding what it means for your organization. It's not about controls. It's about that single mother, and the impact it could have on her family, and that's how I try to think about it, from a healthcare perspective.
[41:27] Matt: So, you run a big team. You've got a lot going on. You do a lot of travel. When it comes to personal growth, staying on top of what's the latest, maybe even being a visionary looking at what's coming next, what's the formula that works for you? How do you stay up to date? How do you continue to grow?
[41:46] Corey: I would say, voracious reading, voracious listening, and I'm not necessarily just talking about podcasts. I mean, every time my team members speak, every time another team member in IT speaks about something, listening, jotting down questions, going back and then reading, and following up, and learning, listening to thought leaders and paying attention to thought leaders, but I think, again, the biggest one is when you hear something, taking the time to ask questions, so you can understand it, and those things put together, and then I would say, there are also occasionally two beverages involved. Coffee in the morning, and occasionally, late in the evening, bourbon, to go along with whatever you read.
[42:45] Matt: Well, this has been super exciting. I love the fact that you've shared so much of your personal knowledge. So, thank you for doing that. Are there any parting words that you maybe have for our listeners, or perhaps something you wanted to share that I didn't ask you about?
[43:00] Corey: I think, the only thing I would share is, when you're in a position, like I'm in today with you, the first thing I ask myself is, I’m not even sure I have anything to share that would be beneficial to anyone, but I do consider it a privilege to be here, and I don't know it all, but I'd be honored to know that just one person was helped by something, anything, that I said, and also, I'd love to make new connections. So, those members of your podcast, if anyone would like to connect, feel free to reach out.
[43:36] Matt: I love that. Well, Corey, thanks so much for coming on.
[43:40] Corey: Thank you, Matt. Hope you have a great day.
Thank you for joining us for today's episode. To find out more, please visit us at Cloudsecuritytoday.com.