Sep 29, 2024
Episode Description
In this conversation, Michael Hensley, head of cybersecurity at Modern Health, shares his journey from software development to cybersecurity, discussing the evolving landscape of the field, the unique challenges faced in health tech, and the importance of community and mentorship. He emphasizes the need for effective communication in leadership roles, the balance between employee education and implementing security measures, and the future trends in cybersecurity, including the role of AI and third-party vendor risks.
Watch On YouTube
transcript
hi everyone welcome to the Hands-On seeso podcast my name is AD and today we'll be talking to Michael Hensley
Michael's been in the security field for almost a decade and today is the head of cyber security and hip security officer
of Modern Health Michael how are you doing today uh I'm I'm doing well uh
can't can't complain for Monday uh thanks for having me of course amazing
so before we get into what you do today could you tell us how did you get into
security yeah so it was honestly uh it was a little little bit of luck a little
bit of hard work the luck part came first I'd say um I was working as a
software developer um and I just happened to be assigned to a companywide
initiative where we'd be working with the director of product security um at the company that I was at and I was
really interested in you know what this person did I was like oh a like a cyber
security person how cool so I had all these questions for him uh at the end of
this meeting I was in because the meeting ended a couple minutes early I asked him how he got into security and you know what are some of the you know
things that he learned to to take that career path because I I just I had never
like really talked to somebody who was a security professional at that point because I was like fresh into my Tech Career and then this was still in the
days where companies had desk phones um and so you know the next week my desk phone rang and he was on the other side
asked he said hey you have a really good background to learn to do this job I have an opening on my team would you
like to switch over to my team and so uh talked it over with some folks in my
personal life and I was like all right let's do it I can always go back to software development if I don't like it and then I've just been doing it ever
since cool and what would you say are the biggest changes you've
seen in this field since I think the biggest thing just
like just like anything in like or just like the general Trend in Tech is just the move to Cloud um you know I remember
my first part of my first security job at that company was I was running vulnerability scanners I was scanning
our our data centers which like hardly any people have anymore um and then um
when I followed uh that uh person who was my boss at my first company who
ended up being my mentor I followed him to the next company that company also had on premise serers an on- premise
file server but kind of AWS was starting to be super hip and cool and just like
moving everything to the cloud and so as I've kind of journeyed through my career things have become more and more and
more cloud-based uh the company I work at right now we don't have like a home
office where you know people work out of or that has special network access it's like people working from home it's
people you know going on vacation and being like Oh you know I'll work a couple days and then take you know the next week off so it's really moved to
uh everyone is everywhere and then the things that we're running in terms of
processing data or like all of the company's accet are just are just running in the cloud so it's it's gone
from thinking about how do you secure bare metal to how do you secure people's access in the cloud and just how do you
secure your kind of cloud-based assets in general interest thing would you say
that your experience as a software engineer from before is something that helps you a lot on a daily
basis absolutely I um I my mentor was right when he was
when he said hey you know your software development background will be really helpful I think especially in the application product security space
knowing what a developer's life cycle is knowing you know what are the pain points of being a software developer
even though I didn't do it that long I still kind of remember some of the things that took the longest for me or
that I struggled with or were really annoying um and so I I think I've kind of carried that through my career as
I've tried to think about like hey the developer First Security experience I mean there's more to security than just
that but like I got my start in application and product security and it really helped to kind of move over to the space be like all right I I have
this like fundamental understanding about how to write code wasn't an expert at it by any means but then knowing hey
I need to secure it like I've I've kind of been in the shoes of someone who has to meet a project deadline and like
write this feature so like how do I think about like moving security into that space and and I also think um you
know as I've taken over more and more areas of Securities at my you know different stop along the way including
at this job um I've always tried to put myself in like the employees mindset to
say hey Will an employee actually follow through with this process will they actually use this tool when we're
picking Solutions for Modern Health or we're building security into business
processes it's can I fit that into someone's workflow where one they'll remember to do it and two it won't be so
annoying or so uh cumbersome that you know they just will ignore it altoe it's
like oh I I really got to get this in but I I can't follow this secure process so I'm just going to do it this way so trying to meet people where they're at I
think has really helped in my career and I think it's like really important especially as you get into security
leadership to to really think about that make sure that you and your team are doing things that kind of Meet the
business how the business is being done amazing what do you think in
security I lost my train of thought sorry all
right what does your day-to-day look like because I know that mostly Security
Professionals have a lot of things going on at the same time yeah so I I can't speak for other folks
but um my day-to-day is head of security at Modern Health I always joke with my team that I'm the paperwork guy so um
the way that I try to run my team is I try to get them as much time as I can solving that kind of the interesting
engineering security challenges that come with being like a cloud first company and and a startup um and so like
my day is a mix of making sure my team's enabled uh so they have all the correct information to you know do the projects
that they're working on Advance our security controls um and then it's like thinking ahead to the company strategy
hey what's going on in the business right now are we prepared for it are there things we need to think about and then that trickles down to okay well we
need to do this am I going to need to ask for more budget money next year or do I need another person on my team to
be able to be able to cover this area um and then I'm also have to keep one eye
on the uh compliance piece uh we have an amazing Le team here at Modern Health I
mean everyone's amazing but I work a lot with our legal team to think about you know our compliance Readiness because we
operate internationally we also process Health Data in the US so we're uh involved in just about every regulation
that has letters that you can think of um and so kind of keeping a thumb on that making sure that we are staying in
compliance on a day-to-day basis working with some of the vendors that we do to make sure that we stay in compliance and then also kind of thinking about our
strategy for the future hey do we need to do uh more attestations so modern health does a sock 2 type two audit
every year um and so thinking about the future uh you know what's it going to
take to kind of move the needle for our uh next set of customers so it's kind of a a a mix of all those um and so you got
to wear a lot of hats at once and you know when I got into this job I was not the most organized person so definitely
have been working on my organization and prioritization so but we have uh luckily some amazing folks who have done
leadership for a while that I've kind of gleaned tips from but yeah it's basically a lot of you know wearing all those multiple hats and making sure my
team stays happy making sure the company advances its security posture wow and how would you say doing
Security in a healthtech company different than doing Security in maybe
something more uh dry maybe more tech tech yeah I I think that there's uh I
there's definitely advantages and disadvantages so uh I'll start with the advantages first because I'm a glass
full person um there's a lot of scrutiny on highly regulated companies whether
it's like uh making sure we're follow following privacy regulations making sure we are uh following like the hipa
security rule there's other states that have cyber security uh laws as well in the US um so people understand operating
in healthcare that security is kind of tant amount to making sure that you have a good business and so I'm lucky in that
aspect where um people realize from like a leadership level on down we have to
take security seriously we can't just ignore the security team because well one the law says that we can't but then
also uh we are in kind of one of those sectors that is targeted more by attackers it's you know it's like Health
Care Public Utilities you see all the time in the news uh healthc care companies getting breached so there's
definitely a lot of um you know a lot of good data out there for attackers to try
to get if they could breach a healthcare organization I and I think people understand that inside the company so
that makes my job easier I don't have to go convince people that security is important but you know kind of the
downside to that is there is I mean there's there's just extra work involved um you know being in a highly regulated
industry you know I I spend sometimes a good chunk of my time thinking about compliance uh thinking about uh you know
making sure that you know we're staying on track uh with Audits and uh other
things of that nature um I would think maybe at another company where there weren't as many ulations you know I I
could spend my time maybe doing some other things but you know overall I I really enjoy the healthare space uh for
that reason because I think that there's kind of like you have to have security for entry like there's not a company uh
at least I not that I know of where it's like oh yeah we're a Healthcare company but we just like we don't have a you know we don't have a good security
program I think people who are smart who are leaders in those types of uh companies really think about the fact
that like hey security is the business asset Security will drive our business forward even though security is a cost
center like I don't make the business money you know we take budget we have headcount like the contributions we make
you know don't drive our product forward for the most part but um you know we are reducing risk and and we are you know
helping the company stay compliant and so that is a business asset and so like I do enjoy you know this the regulated
space for that reason cool do you think that you say
that because you're in health tech people are much more aware that there it needs to be a certain way but how much
time do you spend on educating not specifically your team but just like
employees in the company on the different risks versus how much time do
you spend on implementing barriers that will not
allow them to make um mistakes I guess that could affect the
security yeah that's a good question um you know it it it really I'll give you
the classic security answer it depends um sometimes you know there's a season
where the focus is on you know employee education you know we do uh education
stuff throughout the year we think that's important for our team so you we do security awareness training every year we're always making sure we have
touch points inside of engineering inside of tech and inside the company uh when it comes to kind of educating
people on security best practices or making sure that security stays at the Forefront of people's minds because even
though we are in that regulated space it's easy to get absorbed into your day-to-day jobs when you're in a startup
you know it's go go go and so we try to stay in front of that as as much as possible um but based on you know what I
think and and more importantly like what our team thinks the company might need there's you know sometimes there just more investment in hey let's put on
guard rails and then detective controls sometimes if there's an area that you know hasn't been explored as much as
other areas is um you know we might spend more time at the beginning putting
in detective controls you know doing like an internal team audit ourselves saying all right let's explore this area
let's explore the processes here and then after that happens you know we can spend uh time hey we've you know we've
uh uh we understand now how this part of the business operates we'll spend part of our time kind of educating and then
part of our time you know kind of building guard rails if we find anything where we're like hey we would like to mature the you know the control are the
processes in this area so you it kind of It kind of fluctuates but yeah I try to kind of keep a balance of like Hey we're
building um guardrail controls but then we're also educating as well because you could build the best guard rail controls
in the world but if you're not kind of focusing on the people on a regular basis inside the company I think I think
I've seen somewhere I couldn't tell you exactly where that like kind of people are the number one cause for security
breaches and so we try really hard to help people or prevent people from like
even causing breach with some of the controls we we build but also reminding people like hey these threats are real
and you know you can do this to help the company out if you you know build security into your processes or or do
you know this or that to like help our posture going forward interesting I remember in one of
the conversations I did I was speaking to Andrew Rose who's a very um experien
heo and he was saying he was talking about how most security teams put 90% of
their efforts into the tech but most of the breaches like 90% of the breaches are because of the people so it's like
there's some sort of imbalance there so it actually leads me to my next question
of when you do put these um the blocks to put it that way do you ever feel like
a bad cop is there ever situations that you have to be like no we can't do
this oh yeah yeah I mean I I wouldn't say all the time but there's definitely times when it's more of a like a hey you
know I I understand what you're doing here but you know for for this reason or
that reason we can't do this process like this anymore or you know we have to
change this over here I think I I tell people that I think this is why relationship building as a security team
is really important um I tell the folks internally I try my best to to kind of
build relationships with people meet people where they're at like you know shake hands at at company offsites and
you know really get to know different people I'm working with especially like the Strategic stakeholders because it's
not an if but a a when like when it comes time to have that difficult conversation it's not like I'm just
showing out of no showing up out of nowhere and being like you can't do this anymore people are like oh I know this person you know he um you know he has
gotten a you know he's tried to to know me and you know Mike's not a bad guy you
know he's just doing his job and and he is trying to keep like the company safe and and I think that that has really been a benefit for my career uh myself
and then the rest of our security team we really work hard to like not just participate in the company but be
culture carriers as well um you know I take my job seriously but I don't take myself that seriously at work so a lot
of jokes lots of memes other things to kind of try to keep security as light as possible because there will come a time
when you know each department we have to have like a conversation with them around like hey we've got to change this
or you know later down the road we we need to fix this issue that we have or you know this process is out of date
like let's let's do something else and so it's it's hard for people to change their workflows but if you're talking to someone who you feel like wants wants to
know you and understand you like in a genuine way and you know wants to support the work that you're doing but
then also comes to you and says like hey you have to change the way you're doing things I think people are much more open to that um than if you just kind of kind
of stand behind your wall of mystery I guess as a security person then only come out when you're telling people
no yeah I could see how that could be um less appealing to people if that's all
you're doing do you have you ever seen or experienced in your career a big
security breach of course you don't have to say companies or names or anything
yeah I mean I I I've out that um you know in my I think every every company
has you know incidents or or things that they have to investigate I mean that that's just part of the job I've I've lucked out I haven't you know been a
part of like any major uh security breaches so I I feel for the folks that I see in the news I I know people are
apt to pile on sometimes where it's like oh you know this company like look at them like they got breached it's like
this is a hard job like this is a really hard job um and uh depending
on you know depending on on business circumstances or depending on like the fact that like hey you know um it only
you can spend all year building up controls and then you know like you mentioned earlier like some person can
make one honest mistake or you know one control can go wrong or one detection can go missed and that and that's the
cause and so I think that's why a lot of folks in the industry um get super stressed out because you know we we need
to try to operate 100% you know all the time and and sometimes you know if it goes down down to 99% you can miss that
one thing so I I feel for the folks like I haven't you know personally had to kind of go through recovering from a
major incident cross fingers crossed that I don't have to in my career but you know I I have a lot of empathy for
the folks that have done that how do you feel when you hear about
um a company that got breached or when like when you experience it from the
side as someone who understands it a bit more than the masses on the news and
stuff like that yeah I mean I I've been you know as as both like an engineer
like and like here at Modern Health you know i' I've gotten that message like hey you know we need to look into that
it's like right you know um guess my wife's on her own to like feed the kids tonight at dinner yeah I you know some
of the the big ones that you see in the news I'm like okay that you know the response teams they're they're working
you know 10 12 hours sometimes more to like recover from this they're working late at night so like I hear that and
I'm like I have a lot of empathy for them um and then it's always really interesting to get to uh whenever
companies are are willing to be transparent and and publish their like grot cause analysis it's like interesting from you know a measuring
perspective for for someone like us at Modern Health to say like hey have we thought about this before or you know do
we have the preventative controls and so you know I um I think we can all learn from each
other as companies and so you know I have a lot of empathy for folks that have to go through that and then you
know it's also one thing that you know if companies are smart they can see uh you know if there are breaches in
the news hey how did this initially happen hey do we have controls for that because it's not just like a hypothetical point of that we can point
to something and say hey this company you know was breached because they didn't put these controls in or you know
the way that this process worked for them you know internally wasn't secure because of x y and z are we doing that
here not we should or if we are that's a good um you know I I kind of use that
like that's that's a good kind of talking point for the company you know hey luckily you know we have some really
smart Engineers on the security team um you know who have put these controls already in place and so this is a good
reminder as to hey on a day-to-day basis folks may be like you know ah we have to
work a little slower because of security but then you know it's something that we can point to to say like hey no there
there are there are real world implications here we understand this might be a little bit more of a Blocker we understand that this might make your
day just a tiny bit harder but hear me out like these are important you know it's a hopefully you know some of these
controls are the difference between us staying out of the news because of security and and being in the news like
I I as much as I can I'd like our company to be in the news for anything besides like a cyber security breach
so well how often is it that you that you see some sort of breach or security
event on the regular media and that causes your company or any company that
you've been in to actually Implement something new or changed something that
exists yeah I I I think um I you know it's I I've seen it happen like at
multiple companies than I've been at where it's like oh you know we haven't thought of that or we haven't put as much time into this as possible or hey
this company is way bigger than us you know we're a smaller company I've worked at like small to medium startup startups
most of my career the first company I was at was like a really large company um and so you can also use it as like a
future thinking road map thing hey you know this is not maybe a problem that we would have right now just because of our
small scale but as we scale up this is something that we'll need to think about so I think if folks are smart then you
know we shouldn't just as like a community be looking at at other companies that um are breached and say
wow sucks for them you know like our security controls are the best because you know it's like we we're we're always
fighting a losing battle here so having empathy but then also like you know being smart about saying like all right
well you know could this happen to us and like let's spend the time to think about if it could and you know do some
research on that so um I I think I think just about every company can kind of learn from hopefully other companies
like you know breaches that are reported but then also from folks that are doing things you know right would love to see
more of you know in the community being like hey you know we put these controls in six months ago and they paid off you
know we had an attack that failed because of this and so like I think we could probably do more as a security Community to um kind of give each other
some like positive fist bumps about like hey we put these controls in and these work like oh yeah we should invest in that too so um yeah I think it's just
it's it's one of many things that that uh folks should be using I think the other nice thing about being uh in 2024
is there's a lot of really good security Frameworks there's a lot of good security best practices and principles
so cyber security is not one of those things where it's like it's shrouded mystery but it's like hey there's a lot
of really good information out there it's just the implementation that's hard so like making constantly trying to measure yourself against industry
standards and constantly trying to measure yourself against what you know other good security-minded companies are doing I think is really important
also are cisos very connected to each other like when something happens is
there a chat going on hey I I want to be part of that chat that that sounds great um yeah I think
part uh you know for me personally um with with Co and and working as like a remote based company like I don't really
live in like a a big city um you I live in Eugene Oregon it's a couple hours
south of Portland where uh University of Oregon is so there's not really a good Community here for me to be involved in
I think if I lived in a bigger city you know i' get invites uh every once in a while to like network with peers um and
I you know I would if I you know didn't have kids I'd probably take Folks up on that I do think that uh there it seems
like there's a lot of ceso group chats out there and so like you know if there's a fellow ceso in there who get
me into one of those group chats watching this podcast like please please send send me the invite um but I I do
think that that's important I I I think just in general uh relationships and being connected with folks who like kind
of understand what you're going to is is really is really important because it can be kind of lonely sometimes because
when I a security engineer it's like I had my fellow Engineers to kind of like H you know this this sucks or like this
is hard or like yeah I'm struggling with this can you help me out but normally unless you work at like a giant company
there's just one person who's like leader of security and so um that can
get a little lonely sometimes because like I do have at my job I'm thankful to have a really good Tech leadership group
kind of led by our CTO and CPO um and so I have Community there but it you know I
am a little bit on an island by myself so I do think you know Community is really important and so yeah so some
people need to come in and do some uh you know some meetups or something in Eugene Oregon and I'll definitely be
there if that's the case maybe you're the person who needs to do them that's true yeah why am I saying I'm I'm I'm
making a plea to you know people that I haven't met yet maybe I need to like walk my own walk and and do this
so interesting so when you talk about like
the the team and the community it makes me think a lot about how stressful like
the ceso role is and how much it's uh it's sometimes not talked about much how
do you experience that yeah I I think
um I'm not a psychologist I don't have a Psychology major or degree of any kind
but just from my own personal experience and maybe this is just maybe this is uh
maybe I'm not a good multitasker or or contact switchers some other people but
um what I was surp what I've been surprised about in this role is the
constant context switching uh it's it's the context switching it's the
um uh you know it's it's the different asss from people that have various
levels of urgency and then it's like help keeping the team on track it's like there's just a lot of things that kind
of build up as the load and then it's like oh also like you're you know you rise and fall as like the security
posture of your company does where it's like I'm I'm not an individual contributor like you know I I don't have
a million hours a week to go fix all these controls like I have to have a really strong team which I'm thankful
that I do I have an amazing team that like you know kind of Drive things forward but you're just kind of like the
pace of like you couple like the the context switching with you know the the nature of um the nature of companies is
that you know as you get more mature like things slow down a little bit and so I could have a thousand things on my
list but when you take a look at you know I don't want to burn my Engineers out what's actually realistic to improve
here it's like that list gets chopped down you know way far and so it's like we got a giant backlog of stuff and we
think okay the next six months these are the top 10 or 15 things that we want to do and so like that's not a lot of
things you know and and and for most companies uh you know the security team
hopefully is well funded but you know I don't have enough unlimited amount of Engineers and so that's another source
of stress it's like hey am I am I prioritizing the right things am I doing the right stuff so it's like it's kind
of those two things like it does get stressful and so like I I have to really make sure that like I'm taking care of
myself taking vacation and like I think that's where the team comes in where um you know I'm our company is our company
is a mental health company so I be disingenuous of us to you know kind of Drive our folks into the ground and not
think about how they're doing um I've been lucky enough to take uh multiple Longs of Parental leave two of my kids
have been born when I've been at this company um and uh I I think you know
being able to delegate to a strong team taking time off like is is really important but yeah it can be it can be
stressful so like that has to be built in too it's like I can't just drive myself into the ground with worry or try
to get more done than is possible like being realistic and then you know leaning on your team being confident
about what what you're working on so like that's that's a that's a factor I I was surprised getting into this about
like those two things like the context switching and and then just like not being able to do anything like that does
get really stressful it's it can and I can get stressed out if I'm not like careful about it so hi everyone uh if
you're watching us on video you can see that we have changed locations and outfits we had to stop that recording in
the middle and we're going to continue from the same question that we left last time what we were talking about was how
do cesos stay updated in a field that's like changing so much and you have to learn all the time but at the same time
you're also busy yeah so I for me I I don't know what other folks do you I
mean I've talked to a couple folks about how they stay up to date and so this answer could probably vary between people but for me it's kind of a
combination of a couple things um my team and I we're always kind of watching
uh you know as as simple as the sounds you know watching Tech blog or the news or other things to see you know what
security incidents or like if there's anything going on that's like hit the news and then you know that's a way that
we can kind of segue and deep dive to say okay well how um how did this happen
or or what's the reporting you know could this happen to us you know what could we do to prevent this so that's always kind of a nice uh nice thing um
we have uh thirdparty partners that we pay that their job is basically to stay up to date with what's going on and we
get kind of intelligence from them and security bulletins on a regular basis that says hey you need to upgrade your
windows machines or this is what's happening right now or you know this new vulnerability came out and so I think that that's really important as you
mature your program to have information sources that are well curated that you pay for I I know that there's like
expense there but could be the difference between a a security breach and you know finding a a critical flaw
in your system and so I think that's always uh always good and then the other way um you know I might be in the
minority on this but I will not all the time but I will just take different
calls with vendors or people who do cold Outreach or or at least research when people kind of do like cold sales calls
uh to see what products they have and and what's going on in the market I mean the the security software Market I'm
sure is billions and billions of dollars um but like looking at it from a business side it's uh if companies are
successful and they have a lot of logos they must be selling something of use or maybe they're just really good
salespeople but I you know we've looked at different products at our company including uh you know companies who are
early startups was like wow that's a really interesting idea this would solve these gaps for us right even if like the
fit's not there we don't have budget it's always good I think to just on a regular basis see what's selling out in
the market um because if something selling it means companies think that they need it for one reason or another
and then you should evaluate wealth you know if everyone's doing it you know the old average like you know adage like if
if any you know if everyone's do it would you do it well in this case you know sometimes that is the the true like
if a bunch of companies have this type of software this type of platform it might be worth looking into seeing if that would fit for your
company I think it's also in the psychology like psychologically you
would rather not make a mistake that everyone else is not making so if everyone is protecting themselves from
something even if that's not the biggest risk if you do get compromised in that
way it makes you look very bad because everyone else was you know what I mean
yeah I mean there's I think you know a lot of you know some of the software that I've seen trying to be sold I'm like I don't know what the use case for
this would be or I don't think that this risk is you know really high but you do have a point where um software tends to
follow uh reducing risk in certain areas where there like actually is malicious actors and so so it is something to pay
attention to interesting what do you think is one of
the biggest challenges in cyber security today oh that's a good good question go
a lot of different ways with this one um I think from uh from my vantage point
and my job um I I really I have a I have a really great team um of folks who are
really good technically and you know can execute and can help folks in the organization I think honestly the the
biggest challenge from like a leadership standpoint is um getting budget you know
getting alignment from people you know there's all these competing priorities in a business and um you really have to
work through relationships you really have to get to organizations that value security but but then like once you're
there like you have to build the relationships and you have to be able to articulate in sometimes a non-technical
way why something is a big deal and I and I think that's really challenging sometimes because you could go to a
security engineer and someone could say oh well you know if we don't you know update this software or
you know do this particular thing here's all the technical risks and and here's
what could potentially happen but then trying to talk to somebody like a CFO or
you know some other executive leader who you know doesn't necessarily know or
understand all this technical jargon like bringing it to a really high level and saying hey you know we this is this
is happening to other companies or you know if we don't address this risk here's what could happen to like our
bottom line dollar sometimes that's challenging to quantify because there I'm sure that there are plenty of companies I don't know any off I'm not
like being passive saying I know any off the top of my head but I'm sure there are plenty of companies that have you know not great security practices or
maybe they've underinvested in security but then they don't get breach and some some of it actually does come down to luck um and then there's always more
that you could do and so it's that like prioritizing and it's and it's the you know trying to build those relationships
and figure out how to um you know get things done I guess it's it's a it's not
like the easiest thing in the world and it's like something that I think is like I maybe it's not underrated at this
point but it's like something non-technical that is super important that that you have to do interesting so
I find it really interesting that I asked you about like what the biggest challenge in cyber security is and you
didn't talk about a specific cyber security thing you're talking about communication thing yeah I mean it's uh
like cyber security fits into a business I mean you don't have risk without you know processing information or having
something that's like worth adversaries taking and so it is like it's kind of I think that's that's why we see a lot of
these breaches uh maybe not the whole reason but sure it's a part of it where
it's like figuring out how to talk to the right people to get things done is like it's it's really challenging I mean
but that's that's how it is I think for other parts of the business too it's like how do you uh function as a part
but then also you know advocate for yourself as well when people have you know priority or uh conflicting
commitments how do you balance the I look at it as you know you have
the these three things one you have your team that that you have
to take care of manage communicate with you have management that has certain
goals certain agendas the way they see the company going and then you have actual work getting done like making
sure the company is secure like how do you how much of your attention goes to
these different places yes um so I got some really good
advice in my career that um leaning into like a company's kind of
like planning and execution process as like a security leader it's like you should be planning your work at certain
times of the year and like it's kind of a Peaks and valleys thing so like you you climb the mountain that's the
planning part hey what are we doing next and so there's like a lot of focus there so um I
remember uh like growing up um I I don't do this anymore cuz I'm not really into
like cycling racing but we would like sometimes watch the tour to France growing up and like you have the um you
have the uh the different stages where they're just like pedaling super hard up the mountain so like you're going like
you're going really intensely at some points in the year you're planning you're figuring out what's coming next
you talk it over with leaders you talk it over with your team this is what they're doing and and plans can always change like I I'll caveat that but but
for our company it's like we go really hard twice a year figuring out okay this is the most important thing right now
now and need to spend the most time on this and then once that's done then that
part drops way down and then it's all about getting the work done so the time that you put into the planning that
shifts to you know making sure execution is good um and so I also though I need
to take care of my team I think um I've been at different companies and talked
to other folks where it's like churn is one of the biggest things that slows that that can slow you down so and and
people are always going to leave and I we're not in an age anymore like my dad
um you know worked at the same company for like 30 years that doesn't happen anymore so like I'm not naive to that people get other career opportunities
they want to work on um you know different stuff but when you have really good teams like it's really important that you're investing I I try to invest
like a minimum amount of time per week in my team like one-on ones talking with them about projects you know if they
need help with something um you know making sure that they feel well taken care of so they can be engaged and they
can do their best and then um I mean that's also you know non work stuff too
so you know do we are a remote first company but making sure that we're doing
like you know fun things over Zoom as best you can on a regular basis and so that that team investment I think is
really important because people retain context the longer you're there at to company and then you know if you can
provide people career opportunities so I think that that's really important thing too and not just like hey I need to be
this like really great strategist and like I need to like make sure that we're you you know driving and getting work
done but like when my team's happy like things get done and so there's always kind of that minimum chunk every week
that I spend that could be a little bit more based on like what projects are maybe I'm going to be a little more Hands-On on something that needs to kind
of more cross functional support maybe hands off other places but that kind of stays constant I would say that that
like team growth team management and then it's just kind of like a back and forth between like planning getting
things done planning getting things done interesting do you think a lot of cesos
experience it in the same way or is it very different in different Industries different
companies from I you know I can't speak for everyone like the places that I've worked and that the different uh
Security leaders that you know I've watched it's kind of a similar thing but it's also like company specific I think
if folks are smart uh because security is part of a business I really try to
lean into like what's the business doing for planning what are they doing for for work execution because it's like uh a
business has when a business grows it means that you know something's going right in terms of uh um you getting
things done and like acquiring more customers and so like kind of leaning into that process like especially in like a tech org and so everyone that
I've seen and talk to kind of do like a similar planning thing um you know there's some folks that might plan way
far ahead in advance like sometimes I will um you know think about hey what's a couple years into the future look like
not just like six months from now or like a year from now but I think there you kind of have to I mean someone could
come next week and be like hey you're you're wrong and here's why be totally open to that but I do think you have to
keep one eye on the future like one eye on the on the present because if all you're doing is like heads down I've got to do the next thing and the next thing
and you're not noticing oh the business wants to do this this year I've got to get prepared for that or oh six months
from now we have this like really important like decision to make like those types of things can sneak up on you and you can I think you risk like
working on the wrong things if if you don't like kind of put your head up every once in a while and think about like what's you know what's the future
holding amazing is there something that you see Security leaders missing like
something that you think should be they should be paying more attention
to oh gosh Security leaders missing
um I think yeah I guess I guess the one thing um for me is I um I I read all the
time like on LinkedIn or other places that it's like hey we have like a gap in the cyber security uh talent pool and
you know sometimes when you're hiring like if you're hiring a like a first security engineer you have to hire
someone with experience or it's like if this is your first Security hire or you know you're missing like a technical leader on the team you have to hire
based on aptitude and experience but I think I I I wish that more folks would
kind of come up with ways to invest in people who uh want a shot at getting
into the industry or don't have a lot of experience you know what we did I I was lucky enough on my team
where um folks were really senior and then we
recently uh a little less than a year ago brought in uh two people that were you know had never had a like a security
job before they like switched careers um and that's been really really great like
the energy that they've brought the passion like really great questions like it it's been a really awesome experience
and but it took some kind of like strategy and thinking about hey are we set up for doing this like could we
actually pull this off and and um it's a little scary to say like yeah I'm going
to trust parts of the security program to like someone who's never done this before but I think if you put thought
into it and and there's plenty of work that can be done by people who are brand new who like maybe have certifications
or like have a passion for learning um great opportunity for like your more senior technical folks or or leaders um
to like have opportunities to mentor to teach to get better at like that part so
I wish more people like invested in that and I wish that there was more like jobs that were kind of like entry level
because I think people might be like a little afraid to say like well I need to hire someone experience because we there's so much going on but you know
there's like you know anyone can like set up a tool and go get like an API key and like read the results and go figure
out like well you know is this a big deal or not like as long as they have like kind of mentorship so there there's like a lot of things that I don't
necessarily think someone needs to have like 10 years of experience to do to like be effective um like the folks that
work for me that both just came in they've been awesome the last year very effective they work really hard they've
gotten a lot of like really critical stuff done for us and that's all because like you know my team has been the the
more senior folks on my team have really like poured into them and they've really like set them up for Success so like
I've been I've been super happy about that so I wish more I I wish I saw more kind of entry-level jobs and we got more
like people into the field and then I I think it would just benefit us all as a
whole first of all it's really it's lovely hearing you speak about your team that way like it shows
the way you view them and the way you see this whole field like wanting to help people who are getting into it do
you have any advice for people who are trying to maybe get their first job in security or have one and want to
advance yeah I would say like I I would say two things like don't give up the job Market's not great right now I know
there's a lot of folks trying to break in but like keep working keep learning and then especially like keep networking
as well like reach out to people see what they're hiring for go to meetups like now that that um you know there's
meetups and conferences again like go just talk to a bunch of people I know that can be hard for um introverts
sometimes too or maybe you know even if you're an extrovert sometimes it's a little weird to go up to people that you've never met before and like
introduce yourself but it is a skill that you need like in your career like you have to be able to talk to other
people in a company when you're working as a security person for the most part especially at a smaller company um and
then I I think like the um yeah the second thing like just
kind of go on I'd say like job boards and like what other people are hiring for and you know learn those things and
then figure out as you're learning like hey I really like this topic so um I'm G
to go you know learn about that I I feel like if you try to learn something where it's just like okay the mo most people
are hiring for this uh so I'm going to learn that uh maybe I don't necessarily like that much but like this is what's
you know in the market um you'll eventually burn your yourself out if you're not interested in what you're doing I think um and so like figuring
out what companies are hiring for but like within that figuring out what is interesting to you and and what you
think you would do really well and like that's changed over my career like every couple years of like oh I think I want
to do this and then like a couple years later I'm like oh I want to try this thing but you know figuring that out
like the the intersection between like what companies are looking for for potential employees and then like also
like what your passion is because if you speak about something you're passionate about in in an interview like that really comes through like I can I can
tell like when I got to do the interviews for these last couple jobs like people kind of spoke about oh I'm
really interested in this like I've been like learning this topic I'm like oh that's great because if I find something here that you're really interested in
you're going to like you know go all in and it's gonna you know you're G to do a good job perfect what do you think this field
is going to be like in two years in five years like what's
changing I think we had this like shift in like the 2010s and maybe even like
kind of before that you know to like AWS Cloud um and then I think honestly like
the just in general people are getting things done not so much with like these like homegrown like homebuilt tools and
platforms that people use but basically it's become a hey I have to do risk
management for like third party vendors because you know we have like 60 different companies that help us you
know um run our business run our platform um and so I think that like
that shift is just going to like continue like I think we're slowly getting to the point where you know gone
will be the days where you know you've got uh yeah I mean there will always be
you know companies maybe even like service companies that are like running on bare metal or you know you're you
have a company that maybe for various risk reasons has to deploy a lot of their own software and even if they're
using third party software they deploy it in their own environment like we do a little bit of that to reduce risk but I
think more and more it's going to be um a shift to kind of this like like uh SAS
model like hey I need to make sure the third parties I'm sending my data to are secure um you know as opposed to like
what data that like the company is storing so it's going to be like less and less about um you know on the FR it
it's going to be like you run your business business with third parties maybe you have your like core uh your
core platform or your data stored in like a cloud service provider like AWS or or Google Cloud um and then
everything else is like can I risk manage these thirdparty vendors and then I think along with that like in the next
two to five years we're going to continue to see um kind of attacks and
risk management around like identity it's more about now like who you are and what type of access you have as opposed
to like oh I have these servers with these like really bad vulnerabilities it's it's managing who's got access to
what who has access to what data um you know who can go and make changes to some of these critical third parties and so I
think that there's just going to continue to be a shift um around like kind of an identity and access
management Focus as opposed to a hey we need to make sure that like all the assets we own are secure I think that'll
always be important um but I I think now it's more of like who's got access to
what are we securing the front doors like are we effectively you know removing or granting access based on
what people need so I think that that's that's just gonna um get louder in the next two to five
years how concerned are you about well how concerned or how excited are you
about AI oh yeah I mean I I'm ex I maybe I'm
maybe I'm just like maybe it's because like I'm getting older or or I have kids and turning into this like um grumpy old
man but like I I see all the people on LinkedIn being like Oh my gosh like you
know AI is so risky I'm like this is really cool technology like I don't know the risk this is just me personally I'm
probably gonna um I'm people probably gonna make fun of me for this but I'm just like I I'm just like I don't see
this as much of like much different from like a risk profile perspective it's like all right you know you have all
these really cool third party tools you have to figure out what data is going in what data is coming out on their side like what could potentially like be
exposed like to me like from like an AI risk perspective like it's honestly like a little
Bing um but not in a bad way where it's like you know I know people are like really excited about it might be
freaking out but I'm like yeah this kind of seems similar to like other you know thirdparty like vendor risk profiling um
but like in terms of like technology capability and what it could do to kind of unlock things I think it's really
exciting um I think that there's like there's going to be a lot of tools that
like say hey this is like AI power where people are just going to try to sell something but I think in the next five years we're really going to see um where
these tools can go in terms of like keeping companies safe and I think that that's really really exciting I know there's a flip side to that too like
attackers will not have access to like this AI technology but you C you can't just hire like thousands of people to
watch your security profile at a company and so I I think that this is really going to help in terms of uh defense and
you know noticing things that maybe aren't right in an environment um and like kind of making quicker decisions on
things so I I think that piece will be super cool so and that that I'm excited about um you know I for the risk profile
thing I'm like yeah this you know I I I think it's honestly like a little boring but like important to think about that
but like from like a where this could go I'm I'm super excited
cool um I like your perspective I think you're like uh yeah like we're GNA have
to deal with this and we will cool okay so one final question because
we're already at the end of our time what do you like most about cyber
security like what really makes you interested in it um I
think uh no no day or no year is the same and
um I remember like I only did software engineering for a couple years but like when I was thinking about switching to
this career it was like yeah okay we're going to build like a new product okay
cool we're going to build like a back end and a front end and there's some like new data going here and here it's like oh yeah we're going to like do some
like asynchronous stuff but like after a little while even though it was only a couple years I was like kind of seems
like you know kind of rinse and repeat stuff um I think any company that has like software engineering it's like it's
a lot of the same you know when it comes down to it there there might be like interesting things that doing or problems that you've never solved before
but like there's this like kind of formulaic approach to this like I see the opposite is true for Security based
on who you are as a business based on what direction the business is growing whether it's you know staying the same
or growing or shrinking like all that stuff just can like make for like radical shifts and I don't think that
and at least for me I think that that's the best part because it can be really
stressful too so it's like a double-edged sword but I think the best part is like no no d or week or year is ever the same because there's always
going to be things that come up where you're just like my gosh never thought never saw that on on my bingo card for
the week or it's like hey we want to try to do this oh great we've never done that before we're going to need to think
about how to do you know such and thing such and such a thing and make sure that risk is reduced um so I I like that part
it's like you know it's it's even you work at a place I've I've worked at Modern Health now for like almost three and a half years and the business has
changed so much and like the job that I was doing a couple years ago is so much different than the job that I'm doing
now which is really cool I don't think you get to say that about a lot of uh career Fields it's like you do something
and then you know after two years five years 10 it's like great like I've kind
of seen it all um but like I'm I'm sure that I have not seen it all in this field yet and like I am not even close
to that and I think that that's really fun perfect thank you so much for
joining us on the show I really like like your perspective I feel like you're very open and honest and the fact that
you're um what's the
word you're very fresh in this like you have a lot of new energy like that's
what it feels like that you want to learn you want to do and and also it sounds like you really appreciate your
team which is very fun to hear I think I'm only as good as my team is and I
have a really good team right now so you know they make they make my life a lot easier I couldn't do all this stuff
without them so shout out to the team shout out to the team okay amazing
having you well thanks for having me on appreciate it yeah I'm I'm looking
forward to to doing this again we'll we'll say we'll see in like a couple years if I still have that uh like
exciting energy or if I'm or if I'm burnt out by that hopefully hopefully I'm I'm still locked in and pumped up I I really think I will be but yeah we
we'll see amazing it
