Operationalizing Cyber with Next-Gen Security Operations with Peter Naumovski, the Global CISO and VP of IT Risk Management at AbbVie, and Teresa Tonthat, Vice President and Associate Chief Information Officer at Texas Children's Hospital

[00:00:02] Hey everybody and welcome back to the series we're doing with Deloitte, Code Green, a life sciences and healthcare cyber podcast series.

[00:00:13] I'm excited to kick off today's episode because we have both the provider and industry perspectives operationalizing cyber with Next-Gen Cybersecurity Operations.

[00:00:27] First, we'll be hosting an interview with Peter Naumovski. He's the Global Chief Information Security Officer and VP of IT Risk Management at AbbVie.

[00:00:40] Then on the second part of this episode, we're hosting the amazing Teresa Tonthat, Vice President and Associate Chief Information Officer and CISO at Texas Children's Hospital.

[00:00:54] Enjoy today's episode and I look forward to hearing what you think about our series.

[00:01:01] Pete, it's such a pleasure to have you here with us today.

[00:01:05] Saul, it's my pleasure. I'm glad we were able to connect.

[00:01:08] Likewise. And look, let's jump in to the questions in a second.

[00:01:12] But before we do, I'd love to just for you to share a little bit more about your responsibilities, the mission that you're after, and maybe some of the background of your organization.

[00:01:22] Sure. So I've been with AbbVie, well, actually this week was my four-year anniversary.

[00:01:28] Came on the cusp of the Allergan acquisition back in 2020, which really skyrocketed this organization from a pretty good-sized pharma company to, you know, top three, top four pharma companies in the world.

[00:01:42] We're truly a global operation as is the security organization.

[00:01:47] You know, pretty much traditional sort of structure to the group and scope that you'll probably see across life sciences, which includes security operations,

[00:01:57] which is security operations center, incident response, forensics, all the investigations associated with that, insider threats, and attack surface management at a high level.

[00:02:06] Also an architecture, a security architecture function, you know, responsible for ensuring that we built solutions with security by design as sort of the mindset.

[00:02:17] We've elevated the security intelligence or cyber threat intelligence function to be more of a strategic capability for us.

[00:02:24] You'll probably see cyber threat intel embedded in an operations area, and they tend to be more tactical in that sort of setup.

[00:02:33] But we've elevated that function. It's a direct report to me. And under that same leader is M&A, which is challenging, as many would agree, as well as strategy sits in that function.

[00:02:45] I also own the GRC, or Governance Risk and Compliance Group, managing enterprise-level IT compliance across the organization.

[00:02:53] Also sitting in that group is third-party risk and risk management.

[00:02:57] And then finally, the group that is sort of back office, as well as chief of staff, and also runs security culture education awareness globally.

[00:03:06] Thanks so much for that, Pete, for that context, and certainly a thorough and well-suited department that you have there.

[00:03:13] You know, what are you seeing in terms of threat landscape and associated attacks?

[00:03:19] Generally, if you look over the last handful of years, cyber criminals, especially in our industry and in most industries, tend to be the most prominent threat actor groups.

[00:03:32] They represent the vast majority of the activity we see across industry in terms of security incidents and breaches.

[00:03:39] 99% of the time, financially motivated.

[00:03:41] And they continue to really target what many would consider low-hanging fruit.

[00:03:46] You look at the recent attacks, and the vast majority of the others come down to really basic hygiene.

[00:03:52] If you consider the Microsoft Cybersecurity Review Board report, change healthcare incident, etc.

[00:03:59] So hygiene, common theme for a number of years.

[00:04:02] And one of the more emerging trends we're also seeing is that as companies integrate acquisitions, that also tends to cause some challenge as it relates to ensuring that you have good cyber hygiene.

[00:04:14] I will also say that ransomware operators tended to be focused again on the low-hanging fruit for a number of years and still are.

[00:04:21] But we started to see a trend last year, probably last part of 2022, in that these operators are willing to invest in zero-day vulnerabilities,

[00:04:31] in identifying those vulnerabilities, and then leveraging them to attack companies.

[00:04:34] We saw that with the managed file transfer incidents from last year.

[00:04:39] And so that's a concerning trend when typically, what, in 23, there was about close to about 30,000 vulnerabilities that were published,

[00:04:47] and only a very small subset of that, less than 100, were zero-day vulnerabilities.

[00:04:52] But hey, when the cyber criminals are identifying them before our researchers or vendors are, that becomes challenging.

[00:04:59] And we're also seeing that the window to close these vulnerabilities or address these vulnerabilities before exploitation is significantly shrinking.

[00:05:07] With the, I believe, average to exploit these vulnerabilities post-release, less than 15 days, and we're seeing most organizations are remediating with 158.

[00:05:16] So that's another theme.

[00:05:18] And, you know, what security podcast or any sort of media wouldn't mention AI?

[00:05:24] But I guess, from my standpoint, it's really about how adversaries are leveraging JNI and driving more entries to market,

[00:05:32] where you may have had less sophisticated actors becoming more sophisticated,

[00:05:35] and even the more sophisticated actors getting even more effective with social engineering,

[00:05:41] writing better code, and even leveraging audio and video and deed fakes to social engineer organizations.

[00:05:47] So that's kind of how I would look at it at this juncture.

[00:05:51] Yeah, and it's getting more and more complex.

[00:05:53] And you mentioned hygiene as a key thing, as complex as it could get.

[00:05:58] Hygiene could be a really, I don't want to call it easy,

[00:06:01] but a fundamental way to prevent a lot of the things that happen.

[00:06:04] Am I hearing you say that?

[00:06:06] Yeah, exactly.

[00:06:07] Having good hygiene, that typically is the initial entry point for these attackers.

[00:06:11] And we've done quite a bit of analysis on the breaches within life sciences and across industry.

[00:06:17] And, you know, it seems like nine times out of ten,

[00:06:19] it's related to something like not having multi-factor authentication enabled for remote access.

[00:06:26] Believe it or not, we're still talking about that in 2024.

[00:06:29] It's not triaging vulnerabilities effectively and not addressing those vulnerabilities based on intelligence that you might have.

[00:06:36] So if there's a critical vulnerability that you may have put in the,

[00:06:40] hey, we'll get to it in our standard SLA,

[00:06:42] and yet you're not leveraging the intelligence that's telling you that those vulnerabilities are being exploited,

[00:06:48] that's going to set you back.

[00:06:49] And we've seen a couple of some major breaches this year related to just that.

[00:06:52] I appreciate that, Pete.

[00:06:54] And so with all this change, how are some ways that you're changing your cyber operations to keep up with the evolving threats?

[00:07:01] Yeah.

[00:07:02] So as I mentioned, we've elevated the threat of intelligence capability so we can deeply understand who's attacking us, why and how.

[00:07:10] And it kind of goes back to the art of war, Sun Tzu comment of,

[00:07:14] if you know yourself and know your enemy, you not need to fear a thousand battles, right?

[00:07:19] And I think there's a lot of power in that statement,

[00:07:22] and it really relates to what we're trying to do.

[00:07:24] So we're ultra-focused on cyber hygiene and ensuring that we have cloud visibility across all of our tenants,

[00:07:31] really heavily focused on ensuring that our vulnerability management,

[00:07:35] tax surface management program is resourced and is focused on the risks that matter.

[00:07:41] We're also implementing zero-trust concepts as it relates to some of our manufacturing sites.

[00:07:46] And what I would encourage many to think through is the legacy VPN mindset and moving away to the next gen,

[00:07:55] which gives you sort of an ability to segment your cloud jewel assets for remote users and such.

[00:08:01] I also do think that testing and executing your urgent patch process,

[00:08:06] that's coupled with your intelligence function so that you're reacting to the vulnerabilities that matter.

[00:08:13] We've also significantly increased our frequency of red teaming exercises,

[00:08:18] which has given us a line of sight into cleanup activities.

[00:08:21] And lastly, you know, within life sciences generally,

[00:08:24] you'll find that there's a lot of heavy focus on compliance and quality.

[00:08:29] We also are looking to get that balance of risk management,

[00:08:32] not only to look at security issues tied to quality or compliance,

[00:08:36] but also if it's not tied to those, how do you balance that into the workload?

[00:08:40] And with that said, really focused on driving more of a security-infused culture at AbbVie

[00:08:46] that takes us out of cyber being an IT problem.

[00:08:50] And we're well, well on our way there.

[00:08:52] That's fantastic.

[00:08:53] Definitely interesting to hear the different approaches,

[00:08:57] creating these different moats to important assets,

[00:09:01] and then ultimately to culture.

[00:09:03] For all the listeners today, Pete, as we wrap up today,

[00:09:07] what's one takeaway that you'd leave for them on this topic?

[00:09:12] Know your adversaries.

[00:09:14] Be passionate about defending against those that matter.

[00:09:17] I'll leave you with this statement that was made by a very high-ranking

[00:09:20] government official in the cyber domain,

[00:09:23] who had said that we're infatuated with the nation-state sort of threat actor and APTs

[00:09:30] and guarding against very sophisticated actors like that,

[00:09:34] while cyber criminals are eating our lunch.

[00:09:37] And that was a very powerful statement for me.

[00:09:40] It kind of tied back to some of our intelligence work that we've done over the number of years,

[00:09:45] and something that I think is very relevant and accurate in terms of

[00:09:51] focusing on the adversaries that matter.

[00:09:53] Love it.

[00:09:54] What a great way to close, Pete.

[00:09:56] Let's keep our eye on the bad actors and make sure we're focusing our efforts

[00:10:00] and our assets to make sure we stop them.

[00:10:04] Pete, I can't thank you enough for joining us today.

[00:10:06] It's been a pleasure having you.

[00:10:08] Appreciate it, Saul.

[00:10:09] Teresa, thanks so much for joining us today.

[00:10:11] Thanks, Saul.

[00:10:12] Thanks for having me.

[00:10:13] It's our pleasure to have you here and to talk about a topic so important

[00:10:18] that's top of mind for many leaders in our industry.

[00:10:22] So before we dive into the questions,

[00:10:24] I'd love if you could just tell us a little bit more about yourself,

[00:10:27] your responsibilities,

[00:10:29] and more on the health system that you're a part of.

[00:10:31] Sure.

[00:10:32] I'd be happy to.

[00:10:33] So as you mentioned, my role is associate CIO,

[00:10:36] but I also have the opportunity and privilege to serve as Texas Children's CISO as well.

[00:10:43] I started Texas Children's about six years ago as their security leader

[00:10:48] and have had a great opportunity through mentorship and relationships to build my areas of responsibilities across all of IT.

[00:10:57] And I really, truly feel that that opportunity has given me a different perspective,

[00:11:02] a better perspective to be a better security leader for the organization.

[00:11:06] Texas Children's, as you mentioned, is the largest children's hospital across the nation,

[00:11:12] Children's and Women's Hospital.

[00:11:13] We also have a insurance health plan arm as well,

[00:11:17] the largest children's health plan in the state of Texas.

[00:11:20] And our mission really is to create a healthier future for children and women

[00:11:26] through our global community by leading in patient care, education, and research.

[00:11:32] We currently have about over 900 beds across Texas,

[00:11:36] and we just recently opened our first hospital in North Austin this February.

[00:11:42] So very excited about that so that we can expand our reach to the kids and women in the Austin and Central Texas community.

[00:11:49] That's outstanding.

[00:11:50] Congratulations on the inauguration of that hospital up there in Austin.

[00:11:54] That's big.

[00:11:55] Yeah, it's been years and no waiting and we're finally there.

[00:11:59] So we're just looking forward to continue to grow our footprint through Central Texas.

[00:12:03] That's beautiful.

[00:12:04] Yeah, and with access being one of the big issues,

[00:12:07] I'm sure that location is really unlocking access for a lot of people in that area.

[00:12:12] Congratulations.

[00:12:13] And thank you, by the way, as well, for sharing the CISO responsibilities

[00:12:17] and the very important work that you do there.

[00:12:19] In my mind, one of the hardest jobs in the industry today

[00:12:23] with the challenges that we're faced with in our industry in healthcare.

[00:12:27] So help us understand, right?

[00:12:29] A big part of what we do here on this series is helping understand,

[00:12:33] what are you seeing in terms of the landscape associated with these attacks?

[00:12:38] I would have to say that year after year,

[00:12:40] I get asked the same question from my board of trustees and my CEO and president and executive team.

[00:12:47] And it's unfortunate that I continue to tell them,

[00:12:51] I feel like a broken record,

[00:12:52] that the healthcare industry continues to be the number one targeted sector across all industries.

[00:12:58] And the numbers prove it.

[00:13:00] I mean, just this year alone, since January,

[00:13:03] we've already seen over 70 plus attacks against healthcare organizations.

[00:13:08] And it's not slowing down.

[00:13:10] The U.S. specifically has been dealing with an increased level of cyber threats

[00:13:16] targeted against critical infrastructure.

[00:13:18] And healthcare is one of those industries.

[00:13:21] We're seeing many more attack attempts against our environment

[00:13:26] through the visibility of the technology that we have.

[00:13:28] We have third parties that we heavily rely on to run our operations or run our clinical care

[00:13:37] that we see targeted in mass that is prolific across all other healthcare industries,

[00:13:44] including Texas children's in some situations.

[00:13:46] So I don't see it slowing down.

[00:13:49] And I think it's so important that we as security leaders in healthcare

[00:13:54] continue to keep that conversation top of mind.

[00:13:57] And it's not just to the board and our executive team.

[00:14:00] It needs to be top of mind from top down,

[00:14:03] because we're always dealing with the weakest link.

[00:14:06] And they keep on saying it's human factor.

[00:14:08] And it really is.

[00:14:10] And no matter how many level of defenses you put in place

[00:14:13] and technologies put in place, it takes this one individual.

[00:14:17] And nowadays, it's not just a click.

[00:14:19] It could be social engineering.

[00:14:21] It could be leveraging AI for them to make a decision.

[00:14:24] And no longer are the days through a phishing email.

[00:14:28] There's so many different attacks, tactics and vectors that the attackers are using.

[00:14:34] We need to keep our entire workforce and our contractors and our third parties

[00:14:39] very well informed of how they can help protect the entire organization.

[00:14:44] Thank you so much for that.

[00:14:46] And yeah, it's definitely the hygiene,

[00:14:48] as well as these new entry points and vectors that are creating issues for all of us.

[00:14:53] And as a business, you think, what can I do to support our people?

[00:14:58] And so what's your perspective on what you're doing to support

[00:15:01] the business and the people in it for that?

[00:15:03] Yeah, I think it's important to balance risk and reward.

[00:15:08] Well, operational efficiencies and risk mitigation.

[00:15:11] So at Texas Children's, we have a pretty formal process for risk evaluation.

[00:15:17] As a children's hospital and being the largest in the nation,

[00:15:22] our risk tolerance is quite low, as you can imagine.

[00:15:25] So whenever there is a new technology or a new service that essentially introduces

[00:15:31] additional digital pathways into our network or into our most valuable critical assets,

[00:15:38] which is our patient information.

[00:15:40] We have a very thorough process that includes supply chain, our legal team,

[00:15:45] as well as our information security team.

[00:15:48] But we've also pulled in our IT architecture team to do a full risk assessment to say,

[00:15:53] what is the problem statement we're trying to solve with this new technology or this new service?

[00:15:58] What are the risk mitigations they have in place to make sure they protect our networks

[00:16:02] while they're connected to us?

[00:16:04] What are the data that remains in their custody?

[00:16:06] And we go through a calculation and if it's the residual risk is high,

[00:16:11] we take it through committees.

[00:16:13] We don't necessarily say no.

[00:16:14] We say, okay, no.

[00:16:16] I mean, there is a high risk to introduce this new technology or third party.

[00:16:21] But how can we mitigate it?

[00:16:23] Could we mitigate it through additional control mechanisms?

[00:16:25] Can we mitigate it through legal contracts, right?

[00:16:30] Can we mitigate it through vendor oversight?

[00:16:32] And then it actually goes through three different levels of leadership across the organization

[00:16:37] to then finally accept the risk or reject it.

[00:16:40] And one of the things that we do very well here is there's never one leader or one executive

[00:16:45] that can accept the risk for the entire organization.

[00:16:47] Because we're dealing with over 4 million patient health information records at Texas Children's.

[00:16:52] So it's actually a group decision before we can accept a high risk technology or solution.

[00:16:59] In the world that we're living in right now, in the headwinds that healthcare is facing,

[00:17:03] we do a lot.

[00:17:04] We have a lot of influential conversations with our business partners on leveraging what we already have.

[00:17:09] So if we already have an on-premise platform or a SaaS platform that could meet at least 80%

[00:17:14] of their business or functional requirements, we push them to use that because it's already gone

[00:17:19] through contracts.

[00:17:20] It has the BAA.

[00:17:21] It has the information schedule.

[00:17:23] It's gone through risk assessment.

[00:17:24] We have a relationship with that vendor so that they can respond to us if anything happens.

[00:17:29] And there's not additional data crawl.

[00:17:32] So the more third parties you bring on, you're taking a copy of your valuable data and giving

[00:17:36] it to custody to another vendor.

[00:17:38] And that in itself increases your threat landscape and your attack landscape.

[00:17:44] So I continuously tell my team to have those conversations with our operational leaders

[00:17:48] to make sure we're doing the right thing at the right time for our organization.

[00:17:53] Love it.

[00:17:54] It sounds like a very thorough review process with, you know, keeping the business in mind

[00:17:59] at the same time.

[00:18:00] It's a nice balance.

[00:18:02] It seems to be always a balance.

[00:18:03] And you mentioned the critical infrastructure, had the chance to connect with Greg Garcia while

[00:18:08] at Vive and the work that he and the team, I know it's a very big group.

[00:18:13] Likely you're part of that work.

[00:18:14] So really it takes more than one to have success here.

[00:18:18] Out of all the things happening, Teresa, what would you say keeps you up at night?

[00:18:22] Well, that's a hard question because I don't sleep so asleep.

[00:18:28] And I still don't sleep very well.

[00:18:31] You mentioned something earlier that, you know, I can make a broad connection to you.

[00:18:35] You talked about security hygiene.

[00:18:37] So most security leaders has a large extensive program with many projects, with many new

[00:18:44] capabilities from a people process and technology standpoint to implement and to implement

[00:18:48] correctly, but most importantly, to implement holistic rate.

[00:18:52] And I think the larger the organization that you serve in, one thing that always keeps me

[00:18:57] up at night is when we do an initiative and we say we have X percent of coverage, right?

[00:19:04] Did someone within IS, not just in security, but in our infrastructure team, in our network

[00:19:10] team, may have missed something when they're doing a decommission activity?

[00:19:14] Maybe missed patching for a small percentage.

[00:19:18] It's the things that we may have missed that could then be a foothold for the threat actors

[00:19:25] to get then access into our network.

[00:19:27] That keeps me up.

[00:19:28] I know our teams do a very good job with bringing on the right technology, putting in the processes

[00:19:35] and people to support it.

[00:19:36] But I feel that if you're not 100% on and focused all the time, there could have been a

[00:19:41] mistake.

[00:19:42] And that small mistake could be detrimental for the organization.

[00:19:46] Everything I hear in the news right now with organizations that are filed into a ransomware

[00:19:51] attack, many of them, it's not because they fell asleep at the wheel.

[00:19:54] It's because one VPN connection was missed.

[00:19:58] One account without MFA was found.

[00:20:01] And it can happen to anyone, any organization, no matter how much millions or billions of dollars

[00:20:06] you invest in your cybersecurity program.

[00:20:08] And I really, that's what keeps me up at night is if the threat actors find that one mistake

[00:20:14] or that one gap and then get in, even though the teams have been working so hard to elevate

[00:20:20] the maturity of our cyber program.

[00:20:22] Yeah, it definitely is something that would keep me up as well.

[00:20:27] And certainly, but what can you do about it though?

[00:20:30] Like, is there anything we can do about it?

[00:20:32] Like, and I think everybody's asking that question.

[00:20:34] Yeah, I think one thing that I could share back with the listeners really is you can invest

[00:20:41] so much in the people across this technology, but at the end of the day, we get the investments

[00:20:46] we need to do from our board and executive team is because they want to ensure that we

[00:20:50] can help enable organizational resilience.

[00:20:53] They want to make sure that we're doing everything we can upfront to minimize the impact of patient

[00:20:59] care when we have a code dark, when we go dark, right?

[00:21:05] So I think that is for every security leader or technology leader out there, technology is

[00:21:12] not always up a hundred percent, right?

[00:21:14] It's 99.99 plus percent up, but there's still that 0.01% that it could be down.

[00:21:20] And what are our nurses and our physicians and our patients?

[00:21:25] Are they trained to know how to run the organization when we don't have technology?

[00:21:31] Because it's not if it's one.

[00:21:33] Everyone says it and it's true.

[00:21:34] We see the best companies out there with millions of dollars in investments still fall victim

[00:21:38] to a ransomware or to an event that cripples their technology.

[00:21:43] So my emphasis to everyone is focus and build that relationship with your organization

[00:21:48] resilience leaders, make sure business continuity plans are refreshed, make sure they spend time

[00:21:56] simulating and practicing downtime procedures and keeping those updated so that when it does

[00:22:02] happen, the impact to providing care to patients could be minimal.

[00:22:07] Oh, I love that, Teresa.

[00:22:08] So well said.

[00:22:10] At the end of the day, we are in the patient care business and the people that provide the

[00:22:14] care, having those resiliency plans.

[00:22:16] And it's not if it's when.

[00:22:18] I love it.

[00:22:18] Thank you so much for your thoughts on today's podcast.

[00:22:22] It's been super valuable.

[00:22:24] Folks, Teresa Tandhat, Vice President and Chief Information Officer, as well as CISO at

[00:22:30] Texas Children's with us today for all of the show notes and things that you can learn

[00:22:36] and review.

[00:22:37] Check out the show notes and you'll be able to check those out at the bottom of the podcast

[00:22:42] today.

[00:22:43] Teresa, thank you so much for joining us.

[00:22:45] We really enjoyed our time with you.

[00:22:47] Thank you so much for having us on.

[00:22:48] Thank you so much for having us on.