Datica Podcast

July 7, 2020

Creating Robust Information Security Programs

In this podcast, we speak with Ty Hollins, Information Security Officer for Datica. Ty is an expert in privacy, security, risk, and compliance governance. He has spoken on topics spanning data security, privacy, GDPR compliance, cybercrime, and breach preparedness. Ty received his MBA and BS in Computer Science from the University of London. We dive into the world of information security with a look at how the tools, practices, and culture can combine to create robust information security programs. It’s a classic look at how successful programs account for people and process in addition to technology.


Transcript

Dr. Dave Levin: Welcome to 4 x 4 Health sponsored by Datica. Datica, bringing healthcare to the cloud. Check them out at www.datica.com. I'm your host, Dr. Dave Levin. Today, I'm talking with Ty Hollins, information security officer for Datica. Ty's an expert in privacy, security, risk and compliance governance. He has spoken on topics, spanning data security, privacy, GDPR compliance, cybercrime, and breach preparedness. Ty received his MBA and BS in computer science from the university of London. He's here today to talk about information security programs, and I think you're really going to enjoy this. Welcome to a 4 x 4 Health Ty.

Ty Hollins: Thank you.

Dr. Dave Levin: So let's jump right in. And what I'd like you to do first is tell us a little bit about yourself and the role that you fill at Datica.

Ty Hollins: Sure, sure. So, yeah, let me go back a little back and a little ways back in history here. So I grew up in a military family, went to grade school in Germany. Loved Europe so much that I stayed and attended the university of London. You know, obtained my BS in science and MBA. Now I've over 15 years' experience in security, risk and compliance and privacy. I like to stir new vision to develop and improve people, process and technology. I've strengthened grow global brands over the course of numerous years by building and implementing security risks and applies to products and services. I'm an active board member on several security and compliance associations. And what I like most about that as it allows me to advocate and develop standards and guidance for security and compliance professionals. Here at Datica, I am the information security officer and I am responsible when I lead the security risk compliance and governance for Datica's products in corporate environment.

Dr. Dave Levin: Great. I'm sure we're going to get into a lot more detail about what those various nouns and verbs mean in a moment or two, but I am curious having had the experience overseas and you have gotten some of your education overseas. How does that impact your view of some of these issues? Is it changed, is it somewhat different than what you might encounter in someone who was a purely homegrown United States professional in your area?

Ty Hollins: Well, what it's allowed me to do is adapt. And what I mean by that is just adapt my strategy in my implementation. Thinking, not just US based, but thinking of global based approach whether it's people working with different cultures whether it's the technology, knowing that the technology that we use may be span across the globe and also, threat actors, those bad guys may be global threat actors or global threats. And then this is the process. Knowing that from a process standpoint globalization has caused us to think beyond our borders. So, most of our processes, don't just affect US operations, they'll affect the operations globally. So making sure that those processes are scalable for organizations when they may start off small, but eventually want to grow into a global or multicultural multi global organization.

Dr. Dave Levin: Right. And some of our current customers operate in different markets, including the United States and overseas. And so you're part of our secret weapon, I think in understanding some of the nuance there. What it made me think of too is I was very fortunate when I was serving as the CMIO at Cleveland Clinic to be involved in a pretty large health IT project in the middle East, spent some time there effectively consulting to that project. And I've also spent some time traveling and writing about healthcare IT in China. And I sort of concluded two things from that. The first was what you said, which is, it kind of helps you put your Periscope up higher, you get the different perspective on certain kinds of issues and approaches. But the other thing it did was it really made me appreciate how much local factors can influence what you do and how you do it. And I won't retell my stories cause we're not here today to hear about me, but every time I would come home from work in the middle east I go, Oh my God, it is just, the environment is so complicated and so different than a lot of times I had trouble really even understanding the issues, not much less how you would respond to them. So let's move on now. I want to get deeper into the area where you are an expert and you and I talked before, and I've heard you advocate for this, I am thinking about this work as information security programs. And so what I'd like you to do is take a few minutes and tell us what you mean by that. What is an information security program and then we'll get into why you think it's important to approach the challenge that way and some of the detail under that?

Ty Hollins: Sure. Yeah. Thanks for that question. So yeah, for me, an information security program is in essence, this is the combination of policy, security, architecture, modeling security services and security control practices. And overall your information security program describes administrative operational technical security safeguards that must be implemented for information systems and applications, which are involved in the collection and storage, use and dissemination of data. What's important really about an information security program is that it, it provides business value by applying appropriate administrative technical and physical safeguards to protect the confidentiality, integrity, and availability of assets, data, and resources. For me I look at the program itself is consisting of two parts, security operations, and then compliance governance. These parts are definitely key concepts. But when most people think of information security program, they think of just secured operations but not compliance governance, which is equally important. And in fact to have a sustainable and effective information security program it requires that you have both security operations and compliance governance working together. And I can dive a little deeper in that. So compliance governance, what it does in essence, it prevents and detects violations of regulations, rules, policies, and procedures, which are designed to protect assets, data, and resources. And those, what I like to call are domains that make up the compliance governance or your control management. So that's your controls that are assessed, designed and making sure they operate effectively. Then you have your risk management which is just identification evaluation and prioritization of risks followed by coordinating the application of resources to kind of minimize and monitor the control of some type of probability or impact of an event. And then exception management is just making sure things are documented when things aren't or controls or risk, or excuse me, controls or noncompliant to laws, policies, and regulations. And then some other pieces are, policy management, audit management, and just the overall training of your employees and users and managers of data. From a security operation standpoint, in essence, what that does, it just makes sure that your environment is secure. And it does that through a couple of domains. We hit a term security information and event management. And that in turn is just reviewing of logs, making sure real time threats are addressed, incident response. You also can Intel forensic investigations of pass security incidents. You have your security operation center, those that are the centralized unit that deals with security issues in real time, vulnerability management, advanced threat protection and identity management. So there's some areas from a security operation standpoint that make up that core function.

Dr. Dave Levin: There was a lot in there. Let's unpack that a little bit. And again, what I've been learning as you've been educating me is, the goal here is a program that secures the assets as you've referred to them. They're these sort of two big buckets of activities. One is the security operations, the other is compliance governance, and you've taken us through a little bit of what's inside those buckets as well. I want to ask you a question, but before I do, I have to remind you that one of the ground rules of the 4 x 4 Health podcast is you are not only allowed, but you are encouraged to call BS on the host. The things that just don't make sense, they're just flat out wrong or whatever. I'd like to think that our listeners find that a little bit amusing too. But as I've listened to you talk about this now, a couple of times what I keep flashing back to is one of my favorite mantras, I refer to it as "The iron triangle of people, process and technology." That if you don't address all three, when you go to do some sort of initiative, that particularly that involves technology, you're very unlikely to be successful and extremely unlikely to get the full yield from the effort. And my experience in healthcare has been too often. We think that buying and deploying the tool, but technology is the solution to the problem rather than something that enables it. And we tend often or too often to neglect thinking about process and thinking about the people, which is like culture training, the standards that we lead and expect others to adhere to that, that sort of thing. So that's a pretty big windup here for the pitch. But my question to you is, am I right? Is part of what I'm hearing here is that overall, you're describing an approach that tries to address all three of those areas? Or am I spouting BS here?

Ty Hollins: No, no, you're right on point. Definitely people process and technology are key. So let me give you an example. So from a people standpoint and I've kind of grouped information security, the information security program, and the two buckets compliance, governance, security operations, people are going to span across both of those. So you need operationally, you need someone to operate the tooling that's used in a security operations, but you also need folks to manage and drive the process when it comes to compliance governance, policy creation, management control, assessments, design, operational reviews, etc. So moving to technology that's the tooling. You need that tooling. Whether it's a SIM tool, a security operations tool, vulnerability management tool, need that tooling to have an effective security operations, but connecting that also to the people, you need people to operate and manage and monitor those tools as well. And then your process that's, how do we drive the information security program, driving it through policy, making sure we have SOP, standard operating procedures, so we know exactly what we should be doing and when we should be doing things and just the overall process with managing the tool and what would should be looking for. And you can kind of that group's also into the metrics part. So what are our exceptions? What are our things, or key performance metrics or indicators that we should be looking out for as well?

Dr. Dave Levin: So again, you've painted a pretty broad picture here. It's a rich palette. There's a lot of things that you can do, many things you should do in order to have an effective program. I'm curious in your experience and particularly within healthcare, what do you find when you look inside the typical organization, how robust is the approach, or conversely, where are the places where you commonly see gaps or where people have overlooked important aspects of a complete program?

Ty Hollins: That's a great question. It varies depending on typically the size of the organization and what I mean by that is that typically in a larger, midsize to a larger organization, you have a robust security operations. You have your security professionals that are eyes on a glass for making sure they're monitoring the environment, addressing any vulnerabilities. And what's typically lacking in that midsize to large is the compliance governance piece. That someone driving the metrics, someone driving that policy procedures making sure the risk management is in place, making sure control management, conducting audits, assessing documentation, reporting out. So it's typically you're heavy in one area and light and the other. And then on the flip side of that, if you look at a smaller organization, you typically have a much smaller security operations team. And sometimes you have a small compliance team, but typically, your compliance, it is more, it might be more robust than your security operations is. And that's small organizations are usually developing their policies and procedures, getting those things up and running. A lot of focuses on that area of making sure we are following regulations and guidance. However we may have, not the best for you to give an example, antivirus in place. We may not be doing vulnerability scanning's or pentesting because we don't have the resources to do that. So things are fairly documented fairly well. But we're not actually, performing security operations to the degree that a large organization would. So my experience has been mid to large size organizations do very well with security operations and kind of lack in the compliance governance arena or domain. And then on flipping at the smaller companies usually are very well, do very well, the compliance governance, however, kind of lack that security operations, robust security operations team.

Dr. Dave Levin: Got it. So it does sound like at least there's some discernible patterns in what you see, but I think I also hear there's a little bit of when you've seen one, you've seen one, when you look at a specific organization, you can go in expecting a certain kind of profile cause it's common for that type of organization, but as you get into the weeds, you find, well, this one is kind of like that one, but here's significant or specific differences. And I think this fits well with the work that we're trying to do at Datica. I kind of think of it at a high level as we're looking for areas where it makes sense for another organization to have a partner. We are DYI; do it yourself. Either maybe too hard or too expensive or too distracting. And of course, increasingly we see a lot of interest in that kind of approach. And what I like about the way you and others talk about this and are structuring the work is we can kind of meet people where they are. So it's not, and again, please corrected me if I'm wrong. You're the expert on the podcast today. But my understanding is we've got a pretty good ability to go in, kind of assess where people are and then work with them to figure out the important gaps and how we can partner together to close those. 

Ty Hollins: Yeah, absolutely. I think we're well equipped to do that for organizations, customers and potential customers to go in and to your point meet them halfway. So if you are a large organization and you say, Hey, I have a robust security operations team, but documenting and managing, and kind of doing control assessments and all that, those types of things we're not really strong at. We're equipped to meet them halfway and allow our team to assist and help them. And then flipping that around, if you say, "Hey I kind of got the compliance governance thing down, but I'm security operations. We need help. We don't really have those, the tooling and that knowledge," we can step in and say, "Hey, we'll meet you halfway. And we'll provide that for you as well." So we have that expertise and that knowledge definitely.

Dr. Dave Levin: Okay. So I've got another one on my potential BS question. So be on alter Ty, but one of the really interesting trends that's occurring in healthcare right now is what I call the great migration. And it is often the case, we tend to lag other industries in terms of adoption of technology. And in this case, I'm thinking specifically about cloud computing and cloud-based services. And of course, a great part of the world has moved there. Many industries have moved there or largely there. Health care peers to be undergoing the great migration. It's begun. A lot of organizations in the straddle particularly on the provider side of the world. At least what I tend to see are provider organizations that are trying to figure out, we want to end up there, but what's the smart way to get there. On the other side, you see digital health companies that are starting there because they really want to leverage the power of modern cloud-based services. So again, long winded way of getting to the question, which is how does that play out against the conversation we've been having about building information security programs? Is this, how much of this has really focused on what folks do on prem within their own footprint? How does that translate as you begin to migrate to more of these hybrid kinds of approaches?

Ty Hollins: That's actually a great question. And for me the way I approach information security and just the program overall is cloud and moving to the cloud. It's, everyone's moving to the cloud. It's a great to do. But for me, the cloud, when you think of the cloud, most folks think of, it's just thing out there, that information is going, and we're doing work and somehow things are getting done. And if you really, really, really, really think about it, what is the cloud? The cloud is really a server, still a physical box somewhere, there's still networking involved. There's still the traditional aspects of information technology infrastructure that are involved and you have databases, you have a database server, you have application servers. The key difference is that, it's shared in some way or provisioned in some way. So for me, you still have to protect the key component and all, this is the data, where does that data reside? And that's, which key is protecting that data and understanding how the data flows and where it's flowing. So it's key that understanding where the data's stored, where it's flowing, how it's being transmitted, and then providing the security tooling controls, policies around that in order to protect that data. So, for instance, if it's stored in a data center that's hosted by a third party, some of the protections you could use, or you make sure that third party has a some type of assessment say 18, or say 16, or SOC one, or SOC two assessment which will help you identify key controls that the company is using to protect that physical asset, your data, but also that physical asset, that server. Kind of understanding how your data is being transmitted and making sure when you're accessing your data or you're going across the web, making sure it's a secure line. Making sure that the data when it's stored, making sure that it's encrypted. Making sure in order to access data, use multifactor authentication. So a lot of the tooling, a lot of the controls are the same. You just need to know where and how to apply them, and the goal that you need, and objective is to protect the data. 

Dr. Dave Levin: Well, that makes a lot of sense to me, even with my limited understanding of these things. What I heard in there to really key phrase is shared responsibility. So knowing what your cloud services provider does and doesn't do, and also given the various kinds of relationships and configurations you can have with a cloud services provider, what are they responsible for when it comes to information security and what are you taking responsibility for as customers. So, if you just joined us, you're listening to 4 x 4 Health, and we're talking with Ty Hollins information security officer for Datica. So Ty for my next question, I always remind my guests, this is a family friendly PG 13 show, but what's your pet peeve or favorite rant these days? 

Ty Hollins: Yeah, my pet peeve is just the lack of accountability. For me I worked in many businesses, worked with senior executives management teams. This is one of the topics that are, it's always difficult to broach and it's accountability. But I find it's, most people understand what, actually don't understand what accountability is, why it's important or where it starts. Somebody's argument say, I understand why it's important. But I would argue that, you don't necessarily know how to create a culture of accountability. Most folks, in most organizations hope it will happen.

But that's not as you know, that's not strategy. So for me to kind of address that is you need to first, you need to define your roles and responsibilities. What's my role, what am I responsible for? And then you kind of define a performance objectives that align with the overall business strategy and making sure those responsibilities aligned to those objectives. And as a result, what you'll find is that you'll begin to develop a high-performance culture because everyone's striving for the same, everyone's aligned with the same strategy, but strategy, but your objectives and goals are all aligned to meet that.

Dr. Dave Levin: It sounds like, while you talk about that, you encounter resistance to this topic. Tell me a little bit more about that. Where do you think that resistance comes from? Is it a lack of understanding? Is it a concern about the accountability that comes with that kind of clarity? What do you think is behind that?

Ty Hollins: A lot of it comes from roles and responsibilities not being defined. You have some folks that, I'm just going to give an example may be a, an engineer, a security engineer and they may also be doing security engineering role. However, they may have some other aspects of the role that aren't necessarily security engineering. You may have an engineer that's performing engineering duties. However, they may not know where that line ends. They may start performing some security engineering duties. And the list kind of goes on. I kind of stayed in the engineering core, but that also expands out to accounting and finance and where roles aren't really defined, and roles aren't nor are they defined, but also the responsibilities associated with those roles aren't defined. So you really can't hold folks accountable if the roles not defined and what I'm supposed to be doing isn't defined.

Dr. Dave Levin: Of course, we have some colleagues that would say, I've purposely, deliberately cultivated a role that doesn't have any accountability to it. If you don't know what I'm doing, you can't hold me accountable, but I'm not suggesting that's a great way to operate, particularly not in the security realm. So for our last question today I mean, you've offered us a lot of Sage advice today. What's your most Sage advice?

Ty Hollins: Yeah. For me, it's known your role and know what you're responsible for, that way you can be accountable. But also don't define yourself by the little setbacks. A lot of people define themselves if they are challenged or fail at something. And for me, that's part of learning. When you want to be challenged, because that makes you grow up your job and your role is exciting. And then failure is a learning experience. So you know how to change the way you're working or change something that you've done and learn from that and make yourself better. So for me, it's known your role and don't define yourself by the little setbacks.

Dr. Dave Levin: Well, I really liked that. Knowing the lane that you're supposed to be in, being conscious about it, if you're going to cross out of your lane to at least have thought about. Is this okay? I'm getting out of my lane, is that okay? And then I love what you said about failure. I'm a huge believer in this. Now I don't like to make old mistakes or the same mistake over and over again. And I'm not in favor of recklessness, but I definitely am in favor of experimentation and some risks, thoughtful risk-taking. And I do subscribe to that belief if you're not failing, it probably means you're not really doing very much. And it's important to cultivate a culture that understands that, encourages it, supports people when they go through that kind of cycle. And certainly in the kind of industry we've been in, it's made good sense to get in a fail fast and learn from that and iterate and go forward. Couldn't agree more. Ty, this has been really terrific. And I think you've given us a great fly over of what's clearly a very complex and rich topic. I am certainly leaving us with a better understanding of what a robust information security program could look like where some of the common gaps may occur and some of the approaches that we can take to assess those and then partner to remedy them as well. I'll give you the last word here. Anything that you'd like to add before we wrap today?

Ty Hollins: Yeah, for me, one, thank you for inviting me here today. It is definitely great to discuss the information security program and just my experience and my thoughts. But yeah, I definitely want to stress the importance of having a security operations and a compliance governance which equate to your overall information security program. So having those two key components are essential to making sure that you have an effective information security program. So thank you.\ Dr. Dave Levin: Thanks, Ty. We may have to have you come back to hear more about your adventures when you were overseas. I suspect you have some great stories there.

Ty Hollins: Yeah. Thank you.

Dr. Dave Levin: We've been talking with Ty Hollins information security officer at Datica. Ty thanks again for joining us today.

Ty Hollins: Thank you.

Dr. Dave Levin: You've been listening to 4 x 4 Health sponsored by Datica. Datica, bringing healthcare to the cloud. Check them out at www.datica.com. I hope you'll join us next time for another 4 x 4 discussion with healthcare innovators. Until then, I'm your host Dr. Dave Levin. Thanks for listening.


Related Reading