- Speaker #0
This is Cyber Defense Radio with your host and cybersecurity champion, Annabelle Thomas. Annabelle brings to you another globally recognized cybersecurity executive in the hot seat today.
- Speaker #1
I'm your host, Annabelle Thomas, and today in my hot seat, I have Duke Lai. Duke is the Chief Information Security Officer at the University of Maryland and Medical System. Duke, welcome to the hot seat.
- Speaker #2
Thank you. It's a pleasure to be here. Thank you for having me.
- Speaker #1
Yeah, we're so happy you're here and joining us in the hot seat today. There's so many different things I could ask you, and I know you've been just reading a little bit about your career and all the different things you've done throughout the years. So let's jump right in. Can you tell me a little bit about the career and journey you've had to becoming CISO and some of those challenges and pitfalls you've seen throughout the way?
- Speaker #2
Sure. I think I can start with... you know my time on active duty in the U.S. military in the army. I was a combat engineer officer but I was serving at a time when technology was starting to make advancements in transmitting data over our radio signals and so I got involved in creating a battlefield tracking application in the field and that's really kind of where I got started. I was kind of self-taught. I in my spare time I was building websites at a time when websites were new just for fun and so with that interest when I left active duty I started working for a technology company in network operations so my background is in network engineering and network operations so that gave me a good foundational understanding of IT and infrastructure from there I progressed to working you know on large network companies i worked at uunet mci worldcom and after that i was able to leverage my data networking background in the world of cellular carriers so i moved over and started working at nextel which was acquired by sprint in the cell phone engineering arena that back then cell phones were primarily voice and they were looking for some some people with experience in data networking. to help them put data on cellular. So I was able to leverage that background and had the opportunity to develop some pretty cool smartphones and modems that had better data capability. But at that point, I happened to come across an acquaintance who I'd worked with before after leaving the military, and she had offered me an opportunity to work in this field called cybersecurity. And this was a while ago, and I said, oh, that sounds cool. So let's give it a shot. So, you know, I was able to join a security practice, a consulting practice in this field of a new field of cybersecurity and protecting information, which I thought was interesting. So that's how I transitioned from being in the military to working in networking and IT infrastructure technology to cybersecurity. And then I had the opportunity to take a role at Verisign, which was an IT security company. So they were responsible for website verification and domain name registration. So I learned a lot about large IT infrastructure companies and that experience. And from there, I had the opportunity to move to a small financial services company where I was given the opportunity to start a security program from the ground up. So when I got there, they didn't have any dedicated IT security resources. No one dedicated full time. There was, you know, partial part time duties for other people who are working in networking or server administration. And so I was fortunate enough to be supported and resourced by, you know, leadership there at that company to acquire. technologies that we needed. And I spent 13 years there and eventually became head of IT security and IT infrastructure, so the equivalent of the CISO and CTO roles. And then from there, I got lucky and I happened to run a come across this opportunity at the University of Maryland Medical System for the CISO position. And I was new to healthcare, but knowing that I had spent a lot lot of time in protecting data and building infrastructure for financial services, I was able to leverage a lot of that experience in this role here. And so I've been at UMSS now, which we shortened to UMSS, for almost four years in this role and it's been very rewarding. I really enjoy the mission. of a healthcare system. We're one of the largest employers in the state of Maryland. We have 10 hospitals and a flagship teaching hospital in downtown Baltimore, the University of Maryland Medical Center. So that's where I am today.
- Speaker #1
That's awesome. That's cool to see the different journey you've had throughout your career all kind of stemming from your military experience and then just about evolving over time to where you're at now. Now, when we talk about healthcare, a lot of people on the cybersecurity side kind of seem to hesitate or kind of maybe aren't as excited about, you know, jumping into healthcare just because of the risk. How that's especially more highly regulated industry and a lot of the challenges that come with that, that's unique to healthcare specifically. Can you share a little bit about some of those challenges you've seen specifically in the healthcare industry as it relates to cybersecurity?
- Speaker #2
Yeah, I mean, it's... it's a very, very challenging and dynamic environment. And the mission and the focus is on providing quality patient care, and it should be. And that's what we all work towards. Unfortunately, there are a lot of threat actors, bad actors out there who are targeting healthcare because we have a lot of sensitive information. Our mission is time sensitive, right? Our availability of data of information, availability of our electronic and information systems has to be up all the time because hospitals never close, right? We're open 24-7, 365. And threat actors know that. And they leverage that in order to, of course, exploit us for ransom or steal patient information or employee information to sell and make money. So there's a lot of financial motive behind that. The other challenging part is the is the environment. A lot of healthcare systems like the University of Maryland medical system have grown up by acquisition over time. And so it's a patchwork of networks and a patchwork of information as part of that risk. And so network segmentation is a focus area. Another risk area is the proliferation of medical devices, which is different than other industries. So we have tens of thousands of medical devices connected to our network, and a lot of those devices don't support or aren't compatible with security technologies such as EDR, you know, endpoint detection and response agents. So we have to find a way to mitigate that risk and layer in security to protect ourselves and our data and our systems from the compromise of medical devices. So that's a very unique challenge as well, right? And so in terms of the demographic of our employee base, you know, we have a lot of people who move around and change roles. So managing identities is another area that can be challenging and dynamic. So and you mentioned, you know, regulation and regulatory compliance. So we have, you know, HIPAA compliance. compliance. We have state and other federal regulations that we have to comply with for protecting privacy and protecting, you know, patient and employee information. Those aren't necessarily unique to healthcare, but it adds another sort of dynamic to our security program and what we have to manage.
- Speaker #1
Right. Now through all of that, especially in the healthcare, have you had any pushback from the board, from any, I guess, any other user groups that have to adopt some of these different security or IT kind of practices? And how do you navigate some of those situations to make sure that the company as a whole, culture as a whole, is adopting that security mentality.
- Speaker #2
Yeah, fortunately I've had a lot of great support from our senior leadership, senior executive leadership and our board. So that is really, really certainly very, very helpful because that's one less challenge to have. So with that support, of course, whenever you implement a security safeguard, there are going to be operational challenges. There's always a trade-off between additional security and operational convenience. So of course, you'd rather have your providers and clinicians spend more time with the patient and less time logging into an application using MFA or having their workstation be locking out more frequently because that's, of course, that's better security, but that may hinder the quality of patient care. So we have to work with our partners in the clinical spaces, in the hospitals. We have to actively listen to what their needs are. and perhaps look for alternative safeguards, right? Or discuss risk with our governance committees and with our senior leadership to have them understand that, okay, if we allow, you know, reduced safeguard in order to accommodate a clinical need or an operational need for patient care, is that acceptable? And what is that, you know, how does that look? Or do we invest in an additional safeguard, another layer? or an alternative safeguard that allows us to still accomplish the mission, but we still protect our data and our information systems. So it's a constant conversation. There's no straight answer to any of these safeguards. And I think that it takes a lot of relationship building and nurturing of our stakeholders and making sure that we have a close relationship with them to understand their needs, understand our business, which is essentially patient care, at the same time, having them understand the accurate view of what the risk is that we're trying to manage in terms of the cybersecurity risk. So a lot of it is not technical, right? A lot of this role as a CISO is engaging with our stakeholders and our partners within the company.
- Speaker #1
Right. And that makes sense too, because those relationships, like you mentioned, are very valuable and critical to security really being effective, especially like you mentioned, the operational side, the convenience side versus being up to date with those security practices and doing what's best. But it is hard sometimes to balance between the two. Now, switching gears a little bit more to the security side of things and specifically the security team that you have over there. How has that dynamic been to kind of manage the security team, making sure they're staying up to date on the latest things that are coming out, the latest threats that we are seeing? And how is that dynamic? What's the approach of leadership that you've taken to manage the teams below you?
- Speaker #2
Yeah, I mean, I'm fortunate to have a team of outstanding security professionals who are, you know, are very good at what they do. But it does take a lot of time to build a team that... is organized in a way that we can support our mission in a responsible manner. So, you know, in today's, I think, job market, of course, it's changing, but it's always hard to find team members with the right qualifications and background. And so, we have developed an organizational structure where we allow some upward mobility. We've just opened up some entry-level positions so that we can bring in people who are newer to the industry, maybe some college graduates or people who have background in technology and an interest and a passion for cybersecurity. We have a very active internship program where we're able to give opportunities to folks who have an interest and an aptitude for cybersecurity to get some experience and build that future investment. in our cybersecurity industry. So in my experience, addressing the needs of our security team at all the different levels has helped us to build the skill sets that we have. Organizationally, we have team members dedicated to GRC. We have team members dedicated to security operations, which people typically think of what a security team does. And then we have team members dedicated to engineering and... and architecture. So forward planning, forward thinking, roadmap and strategy. And I think that those are the right fit for us. Of course, you know, we on a frequent basis, we're reassessing how our organization needs to change and adapt to what the threat environment is, what the company's needs are, and in managing what we need to ensure for the safeguard of our data. and to enable our providers to provide that patient care.
- Speaker #1
Yeah, that definitely makes sense because sometimes it can be hard to balance that when you talked about having internships, entry-level positions, but also providing that upward mobility and just training across the board for the team to make sure you have a well-rounded team that's able to respond and provide the expertise and skills that your team does need, that is very valuable to have. Now, talking a little bit and explaining a little bit more on that note, for those who are interested in getting into the cybersecurity field, especially in this economy right now, what advice do you have for them?
- Speaker #2
My advice would be to look for opportunities to. to learn on your own. You know, there is formal training, formal classes, certifications, and of course those are important steps. Those are markers that show that you've gotten some some of that needed training. But there are a lot of free resources out there. There are websites that provide free cybersecurity classes. You know, I would encourage folks to build their own Kali Linux box and learn how to do conduct a vulnerability scan on their home network. And I think that that type of experience on your own, you can certainly have points to talk about, examples to talk about when you go for interviews and to kind of differentiate your experience from others who are also interested in entering the cybersecurity industry. Other areas of resources are organizations. There are, For example, B-sides or other types of OWASP, not-for-profit, non-profit cybersecurity organizations that folks can join and network with other people who are either working industry or at the same level and learning what others are doing in terms of trends in the industry, learning about technologies that are coming out and keeping up with what the threat environment is so that when they do get an opportunity. to pursue a position, they are well versed in what's going on, you know, in cybersecurity, in terms of organizations and skills.
- Speaker #1
Right. Yeah, especially with cybersecurity, it changing and evolving so quickly with all these different technologies coming out. It's always critical to stay up to date on the latest information. But as you mentioned, too, the networking piece has been huge for a lot of people. Especially in the cybersecurity industry, because it's more of a smaller community compared to other positions in other areas as well. Well, Duke, thank you so much for taking the time. Before we end today, is there anything else you'd like to share with our listeners or viewers?
- Speaker #2
I just want to say thank you for the time today. And it was a pleasure speaking with you.
- Speaker #1
Awesome. Well, thank you again, Duke.
- Speaker #0
You've been listening to Cyber Defense Radio. Stay tuned next time for another amazing and informative episode. CyberDefenseRadio.com is proudly part of the Cyber Defense Media Group, where InfoSec knowledge is power.
- Speaker #2
Cyber Defense TV and Cyber Defense Radio have launched 24 by 7 by 365 live streams. Visit them online today at Cyber Defense TV and Cyber Defense Radio with your host. and cybersecurity champion, and my good friend, Annabel House.
