The Healing Network - CISO Relationships in a Ransomware Era - Shut The Backdoor

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
Foreign.
Welcome to Shut the Back Door, brought to you by Redox.
Shut the Backdoor is a healthcare security podcast dedicated
to keeping health data safe one episode at a time.
I'm your host, Jody Mayberry, and joining me, of course,
is Megan McLeod. Hello, Megan. Hello again, Jody.

(00:22):
And we've got Matt Mock returning. Matt is
the Chief Information Security Officer at Redox.
Matt, it's great to. Thanks, Jody. Great to be here.
Well, there is a reason Megan wanted Matt back,
because this episode we're going to talk about something
very specific to Matt's role with

(00:44):
security incidents and ransomware impacting
health systems and health care providers. We want
to talk about building relationships with other
organizations, especially one chief Information
security officer, which I now will call ciso, because I hear that's
the. The proper term in the business, especially

(01:07):
one ciso building relationships with others. And, and
Matt is the man to talk about that. So, Matt, I'm
just going to get the. The conversation started by asking about the
value in that. Why do you maintain
relationships with security teams and other
CISOs from outside your own organization?

(01:29):
Yeah, you know, I just saw a recent study that, that came
out. It was actually showing that between the first
few quarters of 2025, compared to this time last year, that
the number of US victims from data
leaks and breaches was up
149% year over year. And this kind of goes to

(01:50):
that to talk about relationships, that building those
strong relationships between security orgs
improves security, it drives innovation, and
it supports effective incident response. And that
number is showing how big that is up. As of right now when we're
recording this, all indications are that the growth year

(02:13):
over year of ransomware attacks on healthcare and other
security incidents has gone up significantly.
2024 was one of the largest ever for healthcare,
and we're only seeing that expand. So I think those
relationships, having those between security groups,
not just trying to silo yourself, you know, security

(02:35):
is best shared amongst the groups to
help foster that environment of improving it for all. You know, one
thing that we like to say at Redox is that we're all patients, and
that really applies to everybody in healthcare. Now, if you've ever gone
to any, any doctor or any healthcare facility or
pharmacy, you know, it all impacts us. This is all our

(02:57):
data out there. So helping each other helps to protect
all of our own data that's out there. Yeah, and I think that's
one of the things that I really appreciate being in security
is that it does have this sense of
collaboration because nothing is in a silo. So even if you
want to try to operate with just your organization, there's. It's

(03:18):
pretty much impossible you're going to interact with other, other orgs, whether you
information share or not. There is an element of the
connectivity there. So the fact that I feel like security
as a whole, at least in my experience, is very
collaborative in that way. So it's not like you're fighting necessarily
an uphill battle to have these connections. A great point around

(03:42):
that too is that with the way that security
is having to catch up with attackers these days, especially
with AI out there, things move
beyond a lightning fast pace anymore. Trying to
reinvent the wheel just seems like you're always going to be in a
further catch up mode. So sharing with others and asking

(04:04):
for help helps you to get ahead in that space.
So why try to figure out something that somebody already has figured
out 20 times over, just for the sake of saying that you did
it on your own? Like these days that means that you're putting your company
and yourself at further risk. So trying to reach out,
finding folks that are in the similar situation up against

(04:27):
the same sort of challenges. In healthcare, everybody is facing
really the same base challenges these days. So there's lots
of people that you can talk to and get answers to simple
questions. Yeah, and when we're talking about security incidents, it's
also, it's not something that you want to have to establish the relationships
while the incident is going on. Right. Like that's not the best strategy. If

(04:50):
you have an incident that happens and then you're trying to
now look into talking with
other CISOs or organizations to try to help you through that, or if they're
experiencing it as well, in the middle of that chaos
is not the best time to be starting that. So that's something that you definitely
want to start earlier before there's fires to put out. Yeah,

(05:12):
that is a great point though. This is something that you'll hear preached in
various forums that you don't want to be sitting around with the world
on fire around you and then realize that you should have answered
that email or had that cup of coffee with somebody because
in the moment it's going to be really hard to get help. You also don't
have those relationships. So when you're reaching out to somebody, they don't know

(05:35):
you from somebody else. So why are they going to drop what they're
doing to come and help you? And you also don't know who to go to
at that moment. And I think if you look at some of the breaches that
have happened in the past year or so, it's clear who owns those
relationships and who don't. Who doesn't, rather, because
you'll see a faster response. You'll see information shared

(05:58):
in different means and others responding and helping
out a lot quicker when those relationships already exist, you know, and
that goes not just for other, like, CISOs or
security orgs, but also any of your, you know, like,
contacts that are out there in law enforcement. So you know the time
to figure out who your contact at the FBI isn't great to do

(06:20):
while you're in the middle of a cyber attack. You know, you want to
be able to reach out and just make that connection so that they know who
you are, they know what the company is, and that everybody is
poised to be able to react if there is an incident there. Matt,
What? So you've talked about the importance of already having
the relationships in place. So is this something

(06:43):
that you actively seek out or have
your relationships with other organizations just
happened? Yeah, great question. And I would say it's a bit of both.
So if there is something that I'm looking for as far
as, like, getting further knowledge or that we may need
partner in or that we're trying to. To

(07:05):
solve, you know, a challenge that we're not
having a great time finding a quick and good answer to,
then I'll go out and try to form those bonds first.
But also if people reach out, I love to see that if somebody is
just wants to brainstorm or just connect and, you
know, say, here's some challenges I'm having. What are you seeing?

(07:27):
I love to have those chats. There's quite a few people
that I have that we're kind of in the rotation. You know, every quarter
we meet up, we just kind of chat about what's going on and
then also make sure that, you know, we're sharing in between those times
if something comes up. But it's also great if you see something about that
organization that now you know who to reach out to and say, hey, are you

(07:50):
aware we saw this pop up and make sure that they
are. And there's definitely been times when that has not been the case where, you
know, we've shared stuff with other folks, people shared with us, and we're
like, oh, that wasn't on our radar. And that really helps to make sure that
everybody's being as secure as they can around this.
When you have those relationships, let's say you're just hanging out

(08:14):
with a couple of your CISO buddies at the Coffee shop. Well, maybe you wouldn't
have these conversations at a coffee shop, but where do you balance
information sharing so you can both or all learn from
what you've been through with protecting company data? Yeah,
that's definitely an important part. You know, I feel in the security world,
the information and the things that we can do as far as like,

(08:36):
there's not a ton of like company secrets, if you will, so you
can be a little bit more open in like general practices. But
sometimes you do need to get in and you, like, you really want to share,
you know, how to set up a policy or something specific you're
doing with your compliance program. And depending on what the
topic is there, there's some great ways to do that. You know, obviously

(08:59):
if your companies have a relationship and maybe you already have like an NDA
place that kind of lays the groundwork. So that's an easy one. But
outside of that, there's some other forums, like if you're in a working group
that has that hisac, which, you know, you might
hear us mention quite often, that lays the groundwork for sharing
at a protected level. I think that's like the

(09:21):
default sharing is at tlp Amber
Strict. So that really means that that information is
contained within that group so you can get more of that sharing by
default. And outside of that, you can just, you know, you know,
as a CISO or security practitioner that you should know what
you can and cannot say and just make sure that you're

(09:43):
taking those pieces of the information out and being more general in
some of the topics, you know, especially when you're talking about like maybe
customers or customers of customers or whatever it might be.
Yeah, I think you made a good point with that. Where the security side
of an organization might not be what like the company secrets
are like. That's like, yeah, you might not share all of your

(10:05):
specific settings and things like that and the ways that you're
exactly protecting against some things. But security as a
whole is not proprietary. A lot of times,
unless you're like in a company that is like you are selling a security product,
you know, which is not our case. It's like you said, it's not the company
secrets that we're sharing out when we're talking about security best

(10:27):
practices and the things that we're seeing in the
industry. Yeah, those conversations can really help to
drive that innovation of this is how you're doing
it. This is how we're looking to do it. How can we improve this? How
can we speed this up? Especially now with all the different AI options
out there, what's working for your company, what are

(10:49):
we seeing? How can you implement this to
bring down detection times so that you're finding that stuff quicker?
You know, how can you get information to the right parts of
your organization quicker? How can your team stay more up
to date? And also, you know, is there ways that you might be able to
do that cost effectively by consolidating information

(11:12):
and getting it to the right people that they don't have to go through as
much noise, because there's always lots of, lots of noise out there.
But I think that that does help drive innovation when
people are sharing how they're doing things, but also
looking at how others are doing it and giving feedback and
kind of merging ideas out there. Yeah, I see that a lot

(11:34):
in the awareness training space
and the risks around insider threats and things like that.
There's a lot of information out there that people, people are excited to talk about
their programs or like you said, if they're starting up one and need advice.
Those are the kinds of things that it's just a lot easier, like you said,
than instead of reinventing the wheel, you get to like

(11:55):
pick each other's brains and kind of collaborate on it. Not necessarily just
inside your group, which is helpful to have, like a broader picture with it
when it comes to. Meeting other people from
organizations, other CISOs and security professionals.
Matt, if you had the choice, would you want to spend the
afternoon with a CISO who has been through a similar

(12:17):
security incident that you have or someone that's been through
an incident you've not been through? Oh, that's a, that's a
challenging question there. I think, you know, probably the
latter only because that's something that, you know,
we might not have experience with, hands on. So getting that
knowledge and seeing how people reacted to it allows you

(12:39):
to modify maybe your incident response plan
or get the right contacts. I think
these relationships, when you do have an incident, whether
it's a smaller incident or it's something major
like a ransomware attack, gives you that kind of Rolodex, if you
will, of who can I reach out to that had similar

(13:01):
experiences, who had the experience with
the quickest way to remediate this, what
worked for them? And, you know, hopefully that has already
helped you to redefine your, you know, your breach
response plan and your incident response plans. But, you know, you may have
this great plan and then somebody else may have said, hey, we

(13:24):
went through this thing, we did these steps and, you know,
these are the ones that like just did not go as expected. And
we've done a lot of that at Redox ourselves. We've connected with others,
we've looked at what has worked and has not worked and we've
tweaked our plans based on that because we don't want
to reinvent the wheel or think that somehow it's

(13:46):
going to work for us when it clearly has not helped in the past.
It's also great to share experiences on
what third party vendors have you used and were they worth
the money to help you through this? What were the
best strategies for pulling them in and working with your team.
And there's also, you know, working groups and other

(14:09):
arenas to get help from other companies as well, especially
in healthcare. The others will help remediate
an issue, to get information out, things like that.
So I think building those relationships, when the time
really comes that you need that help, having them lined up is
super important. So hearing you say all of

(14:31):
that, it just makes me wonder that when it comes to
creating security plans or just focusing on the work that you
have to do with the increase in security incidents and
ransomware, specifically increasing in healthcare
systems, where in the work that you do and how
do you prioritize external relationships? Yeah, there's

(14:53):
lots going on. You know, time management and security is a, as a
topic that we actually want to touch on in a upcoming
episode. Because I think it's very challenging for everybody to
work all of this in, especially with just intel that's
out there. There's so much information that you need to digest or know about.
And I think some of those relationships kind of go into that,

(15:16):
that reoccurring. This is kind of that intel piece that you need.
So scheduling them reoccurring is the
best way to make sure that you don't miss out on that. So
get it on the calendars. Maybe it's, you know, 15 minutes or 30
minutes every quarter or what, you know, and it's,
you don't want it to be too overwhelming for anybody so, you know, move those

(15:39):
around. But once it's, it's on the calendar now, it
becomes real that, hey, we really do need to connect because it's very
easy to, to suddenly not reach out and touch base
for, you know, six months and you really lose
out on that building that relationship. So getting those on
the calendar and you know, trying not to move them as best you

(16:01):
can and then just work around what work. You could have a phone call,
have a zoom if you can't meet in person or if you're
traveling around, try to see who's in that area and then
let people know like we're going to be here. I'm going to try to connect
while I'm in that area. But I think scheduling it out is the
having that set is kind of the best tactic there.

(16:24):
Yeah. And even on like a somewhat smaller day to day schedule,
I believe you set a time aside sometimes throughout the week. Right.
To just like review intel and to go through different forums
and stuff. Because even then like if you schedule it into your
like weekly, daily, whatever it is time in your own
calendar and actually stick to it because I think that I am guilty of

(16:47):
putting like oh, I'll work on this during this period and then getting pulled
into other things. But if you actually set that as like almost like a meeting
for yourself to go through, answer questions, ask questions,
look at the intel available, I feel like that's, that's helpful as well.
Yeah, that's a strategy. I started doing better a
few years ago of really blocking out time in the mornings to respond

(17:09):
to things like that. So if somebody has reached out or I owe a
response trying to make sure I have specific time for that
around these relationships around Intel. So that,
that happens every single day and it doesn't go by
months and months and then it gets buried on there.
So yeah, that's a great idea as well. Again, some of those.

(17:32):
Stay tuned for a future episode. I think some of the time management
tactics and techniques that everyone will learn about can really
help with these. Like your day is full every day. How do
you cram stuff in and how do you prioritize that stuff? Yeah, no, for
sure. Yeah, I think that will be helpful to see where time
management fits into security. So far we

(17:54):
focused on Matt and building these
relationships at the higher levels. Megan, do you also
do this, do you also build relationships outside of Redox?
Yeah, there are a lot of opportunities for that. So like Matt had mentioned
Hisac, that's like a healthcare like working
like group where they have a bunch of different working groups. So when you go

(18:17):
into things like that they have specific topics
that you can look into. So since I tend to focus more on
like the awareness and training and different things like that
externally I joined those kinds of groups so that we can do the
information sharing and think through different ideas, go back
and forth. So that's one way other things. I mean even just like

(18:40):
simply through LinkedIn it can be a little overwhelming because of course you get
requests from random people all the time. But that's still I've still
found that that is also a helpful communication tool in some
aspects where people will reach out and let me know that,
hey, like, yeah, I'm trying to start up this program and I see that you're
involved in xyz. Do you have any thoughts or the other way

(19:02):
where I have reached out also on LinkedIn from contacts that I've been given
with other connections and they're like, I think that you two would really, like, have
a lot to talk about on this subject. So there's definitely a lot
of opportunity, even not as a ciso, but just being
on the team in general. And I think that with our team, we do try
to like, add that in as a priority as well, for all

(19:24):
of us to have some kind of eyes on different areas and different
intel so that we can all be in a sense, like, up
to date with that. Well, since you both do this,
I want to hear from each of you what your
advice is. So let's say we, we hear you talking about
this. We have never done this yet. We haven't reached out

(19:47):
to other organizations. So if I want to start reaching out
to security teams in other organizations, what are some
of the ways I can do this? Yeah, not to keep
hammering on hisac, but I do think for
healthcare, that's, that's a great avenue right there.
You'll find, you know, most organizations have some presence on there,

(20:08):
so you can search for yourself and find a member.
You can use your account rep from HISAC to find
you the person. You can literally just ask. We see that
all the time. You know, someone will say, is, is anybody from, you know, this
organization on here? You can also, you know, if you're looking for a
specific topic, you know, try to find working groups

(20:30):
or folks who are posting about that topic and
then reach out to them to see if you can make a connection there. You
know, LinkedIn's always a good option. I will say
if you're like myself and you just get kind of spammed on
LinkedIn, it's very hard to
respond back to legit requests in a timely fashion.

(20:52):
It gets a little overwhelming at times, but it's still a
valid way to reach out. And I think just finding an email
address for the person and reaching out
is also a good way to just say, hey, we're looking
to do this, or if you know somebody that has that connection. But
I don't think there's any super magic around it.

(21:14):
But it's more of just like, don't be afraid to reach out to
someone else and just ask if you can pick their brain on
a topic. And I think that does help. If you have something specific
that you're looking to talk about, that definitely helps. So that person kind
of knows the expectation, like, hey, I just wanted to
see the specific topic that, you know, maybe you just posted

(21:37):
about or we're trying to do this thing and
I'd love to pick your brain around it. That basically makes them
know that you're. You have some end goal. And it's
not that you are trying to sell them something too, because that's always
everybody's first inclination of like, what does this person
want from me? And how much is it going to cost? Yes. No,

(22:00):
I, I definitely get some messages like that where I think that, oh,
we're just going to be, you know, information sharing and talking about stuff. And then
it turns out that it was a sales pitch. So. So
yeah, avoiding that and being more direct like you said, Matt, I think is
helpful. And then also I think like utilizing
contacts that you already have. So like, I mean, if you have none, then like,

(22:22):
yeah, you can start like that. But then once you start to build your network
a little bit, it's kind of like a web where they have a bunch of
contacts as well. So you can like talk about the
kinds of things that you're interested in and the different areas that you're looking to
improve or to share data about and things like
that. And then that's how I've gotten a lot of my contacts is

(22:43):
through other contacts. So just continuing that kind of like networking
web and like asking the people that you already know like, hey, who would be
a great person for this? Then that's also just a super helpful way to keep
expanding. Yeah. And leveraging the new contacts that you make.
That's definitely a great way. You know, just ask someone
that, you know, do you know someone in, in this area or doing this, this

(23:05):
particular work and let that kind of spread out, you know, utilize
your network to expand your network. And that, that's probably
the best way that I found, you know, reaching out to anybody
like, like Jody and say, like, hey, we're looking for
somebody to do this thing. Are has this particular
knowledge base and see who they have in their, you know,

(23:28):
Rolodex of folks. And that definitely helps. I do
think it's funny that you keep mentioning Rolodexes. So do you want to tell
our younger audience what a Rolodex is? I did see you laughing
at my Rolodex analogy there. And it's very fun. If
you haven't had a Rolodex, I don't know if you can still buy one of
those, but, you know, like, you can spin it and it makes, you know, look

(23:49):
very official that you're spinning through it. So basically it was like a.
I normally think of it as more of the round, like, Ferris
wheel of, you know, business card type things where you put people's
names and it was ordered by Alphabet. Normally
you could just do it more in, like a tray format, but the spinning.
Spinning is way more fun. So, you know, you could go through your. Your

(24:12):
phone contacts or, you know, through your email
or whatever, but if you have an actual Rolodex of that
and it's a great backup because if your Internet's down,
you know, major cyber event, and you can spin that thing, then
that's. That's a lot more fun. That is true. So, yeah, like, I guess there
is still a place for it. I've. I've heard of this mythical Rolodex, but I

(24:34):
don't think I've ever seen one. So, yeah, it's. So you're missing
out, you know, just spinning that and seeing who pops up to
reach out to you. You know, that's also what you don't want to do. And
when there's an incident going on is grab your Rolodex and spin it and be
like, who's this random person I should be reaching out to? So. Well,
this just made my day. The way Megan took such a polite dig

(24:57):
at Matt for his outdated references of a
Rolodex. Very true. Yeah. I don't know what to
say these days. I don't. Your contact list, I
guess. Yeah. It's not as fun. It's not as fun. No, that's right. It's great
to have one word that means all the people in your
network. Rolodex seems to work. I. I like it. But I

(25:20):
also like that Megan took a shot at you. I appreciate that. Yeah. I mean,
I guess it would be like we're saying that we're. We're taping this
podcast. That would be the equivalent. Yeah,
that's right. Well, this has been a tremendous conversation, and I
think what you've heard Matt and Megan talk about can really help
do the security work that you're working. You're doing, because

(25:42):
you will. Hopefully, in your organization, you will never
have all of the security breaches happen. You will never have
all of the incidents happen. So this is. This is a great way to
learn about them. And stay on top of it and you can join us next
episode as we discuss more security challenges impacting health
care and practical ways to address them. And, well, Matt and

(26:05):
Megan, is there anything else that you would like to add as we
wrap up this episode? I'd say if feel free to reach
out again. We're all about, like, building those relationships, so
feel free to reach out with any questions or if you
do want to chat on any topic to Megan or myself. We
also have a link to a form for any feedback or any

(26:27):
suggestions. Yeah, and, and don't forget to lock the back door.

All Episodes

The Healing Network - CISO Relationships in a Ransomware Era

Episode Transcript

Popular Podcasts

On Purpose with Jay Shetty

Dateline NBC

24/7 News: The Latest

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}The Healing Network - CISO Relationships in a Ransomware Era