BONUS: BCP LIVE with Philly CISOs

This episode has been automatically transcribed by AI, please excuse any typos or grammatical errors.

Chris: Thanks for joining us at the Below Deck Barcode podcast tonight. Live from the open seas, everybody. You may be wondering how we got here in this situation tonight. So three CISOs and a podcaster walk into a bar, er walk into a yacht. Sounds like the start of a bad joke. But seriously, we’re actually here on a yacht, and we have three esteemed security leaders with us. So let’s kick things off by doing a roll call.

Dave: Yeah. My name is David Lingenfelter. I am the C……. apparently I haven’t earned that yet. I’m the VP of Information Security at Penn Entertainment. I am the casino company that you haven’t heard of, has not been in the news recently, but I’ve been with Penn for seven years, and prior to that, I have a 30 year career doing it. And cybersecurity, it’s been a phenomenal run. I absolutely love what I do. It is a passion of mine. And if there’s anything I want to do is help people learn more about security, about cyber, and about how they can protect themselves and their companies.

Chris: Love it.

Anahi: Good evening. Anahi Santiago. I’m the CISO at Christiana Care. Christiana is the largest health system in Delaware. Chris, you’re a former disciple of mine. Former team member. I’ve been there eight and a half years prior to that, spent ten and a half at Einstein Healthcare Network. So I am a serial healthcare CISO, but love the fact that every day I show up at work and I know that I am caring for patients. Our whole team is only two hands away from the patient, and everything that we do is making people’s lives better and that there’s no other industry that I’d rather be in.

Chris: Nice. Serial healthcare CISO. I love that.

Tammy: Ready?

Chris: Yes.

Tammy: I’m sorry. So my name is Tammy Klotz, and I am currently the CISO at Trinzio, which is based out of Wayne, Pennsylvania, just as of last Monday. So this is a new endeavor for you. But seven years experience as a CISO in basically the manufacturing in the manufacturing industry. Looking forward to making another contribution and changing the world from a cyber perspective at Trinzio. So thanks for having me.

Chris: Love it. Thank you guys for joining me. So it looks like we have the full ship accounted for here. Thank you all for joining me. Now, let’s dive into this. So keeping everyone safe aboard this vessel is the captain’s number one priority today. I’m curious to hear, considering the state of affairs within your respective industries, what is your number one priority today?

Tammy: So I’ll start because I have the microphone, but from a manufacturing perspective, it’s all about our operations at our plants and at our facilities, making sure that we’re keeping our operations secure. We can continue to make product and actually keeping the bad guys out from getting in and not disrupting our supply chain.

Anahi: So being in healthcare, which has taken quite a hit over the last few years, I think our priority is making sure that we understand what our clinical and business priorities are and ensuring that we’re enabling those at the pace that they need to be delivered on while still maintaining a secured environment and creating sort of a frictionless environment where clinicians and business people can accomplish what they need to accomplish without thinking about security.

Dave: How the hell how the hell does anybody follow “I protect people’s lives, literally”. I can’t follow that. I take people’s money. Sorry, I need to put an asterisk on that. We are a gaming industry, so our job is to entertain people. But the question was, what’s my biggest concern? It’s the end users that I protect, which is our employees. Really? Our employees work with our customers and they make our customers happy, which is our job.

Dave: My job is to make sure that our employees understand the risk and the concerns that our customers have, which is their data getting out in the world. So my number one concern is making sure that the people that work with me at Penn understand that they are targets, that they are part of the ecosystem of what hackers are trying to get through. The technology has gotten very good over the last several years.

Dave: There are vendors here now that can attest to that. The technology is very good. The weak point is always the human being, and that is what hackers are now working on, what they’re focusing on. So it’s trying to get through to the users.

Anahi: Sorry, the boat’s spinning.

Dave: Apparently the boat is turning around. I thought that was just me. I’m having a good night, but no.

Dave: Where was I? Who distracted this? My focus is making sure everybody at the company understands that they are a target of the hackers and making sure that a security awareness is the number one thing that they’re thinking about, from my perspective.

Chris: Yeah, well said. I’m going to shift gears slightly here. And I’m saying slightly because, David, you were the last one to answer that question.

Dave: I have the microphone.

Chris: Because you have the microphone. So the high seas of cybersecurity have been turbulent lately with major storms brewing and we’ve seen major hacks and making headlines, including the recent MGM breach, which you’re very familiar with.

Dave: I’m sorry, what happened at MGM?

Chris: Yeah, there was some MGM breach I read about, which ended up costing them upwards of 100 million dollars.

Dave: 110 million, according to articles that I’ve read published by other people.

Chris: Okay, so my question is for security leaders trying to chart a course, what lessons can be learned from incidents like MGM and apply to prepare defenses and response plans proactively.

Dave: So the recent attacks, we’ll call them attacks. The recent targets against MGM, Caesars, Clorox, Johnson Controls, you name a company, it’s not casinos, it’s the industry. It’s what I just was talking about, which is the bad guys understand that the way in is not to break through the problems in security. It’s not the vulnerabilities, it’s not the zero days, it’s the humans. The humans are the weakest link.

Dave: We are the target. We are what people are going after because through social engineering, our job, whether it’s at the casino or whether it’s at the hospital or whether it’s in manufacturing or whatever it’s at, our job is to take care of the customer and make the customer happy, make them satisfied. So when somebody calls us or emails us and says, I need this and I’m doing this, our first response is, how can I help you?

Dave: Not, oh, you’re a bad guy, impersonating somebody else. It’s, how can I help you? So our job, and the casino industry in particular, is one of those that’s targeted because our job is literally to get people to come and spend money in hopes that they’re going to win money. So our job is get people happy and make them want to spend more. Being a target is simply part of that environment and the bad guys have honed in on that. So what I would say is make sure that your customer support, your customer help desk, everybody is aware that they are being targeted as the weak point in the system to get in and to give away information.

Dave: That’s what I can say regarding those. And just any recent again, you don’t even need to target on the recent stuff, but there’s other things where it’s all related to social engineering and that’s the newest target.

Chris: Yeah, I was going to say that crosses over to different industries. Correct. I mean, you guys absolutely are really focused on the same threat here as well.

Anahi: Yeah, we’re no different. And we’ve had events where our help desk was targeted and an attempt to try and get somebody to configure a device with MFA was a thing for us. Luckily, we have reached those critical assets that are at the forefront of being targets and are savvy enough not to have fallen for this particular social engineering attack or attempt. But it’s a daily grind and all it takes is one person to click on a link. And no matter how much education and awareness you put out there and how many tests you do and how much fear, uncertainty and doubt you either spread or attempt to avoid, there is going to be an unsuspecting individual that just wants to do the right thing by someone else and is going to make a mistake. And that could be anyone from the help desk all the way up through people in treasury falling for business, email compromise, it’s truly a daily grind in terms of we can’t take the foot off the gas pedal one time. Training isn’t good enough. It’s daily, it’s constant, it’s all the time. And so one of the things that we employ is really looking at what are all the different mechanisms that we can leverage to get to our people, whether it’s the portal newsletters, phishing exercises, just walking through, in our case nursing stations and saying, hey, have you thought about X, Y and Z?

Anahi: Christmas is coming. Black Friday, great Target, Amazon deliveries, great ways to get people to fall for things. So really reminding people that as the holidays come upon us that you have to really validate, did you order the thing that you just got the email about or the phone call about? It’s like being hamsters on a wheel, but it’s a necessary thing that we all have to do.

Tammy: So one of the things that I would add is that Dave mentioned that the human is the weakest link of the equation. Right? So when I’m developing a cybersecurity awareness training program, it’s really about flipping that paradigm and actually instilling in the employee population that they need to be the strongest link in the organization. And focusing on your cybersecurity training and awareness program I think is fundamental to actually establishing kind of that baseline and building on that. Whether it’s the monthly newsletters this just happened here and yes, it does happen here and what can we learn from that and using that as an example.

Tammy: I think the other thing that’s important from a manufacturing perspective is the folks who are they’re not at their PC : hours a day, they’re actually running the facility. So when they’re having to check email or they’re having to do their training or they’re having to enter their timesheet, they’re very susceptible just because it’s not their normal everyday course of action. Right? So how do you make sure that they’re prepared and they’re ready? And one of the other things that I support in my program is really around instilling in the employee base how it can not only protect them and their company, but also their families and making it personal for them because then they can take it home with them and instill that at home as well.

Tammy: And that tends to resonate a little bit better, at least in my opinion, for the organization.

Chris: So yeah, as we mentioned, cyber risks still exist. They continue to evolve and make waves. So what are some innovations that you guys see that are on the horizon that you think could help turn the tide in terms of new technologies or new frameworks that you see as a potential life raft for users.

Tammy: I’ll start and then share the mic with my colleagues, but I think we go through these cycles, right? What are the buzzwords? What it’s the new technology, right? So today, if you’re going to ask that question, there’s a lot of buzz around what’s happening with artificial intelligence and how are we going to use that from both a security perspective but also from an innovation perspective, from a business perspective.

Tammy: I was just having some conversations with our R and D folks recently this week and they were like, hey, we want to do this, but we need to know what the guide rails are. How do I make sure that data is protected and there’s not this bias based upon the models that are being used. So you don’t want to prohibit that type of innovation, but you need to partner with your business colleagues to really understand what they’re trying to do, what they’re trying to accomplish, and then work with them to make sure that that’s actually being done securely and that we don’t sacrifice any of the data that is of importance to the company or any PII or anything like that. So I’ve been very fortunate that folks have been very forthcoming with their wants and needs and desires and having a conversation about how do we do this securely. So I think that’s really that engagement level and the discussions with our internal stakeholders becomes very important.

Anahi: Yeah, I’m not going to ignore the powerful promises of AI, both from a business and clinical perspective as well as from a security perspective. I’m also not going to ignore the potential threats of AI because the cybercriminals are using it almost more effectively than we are. But I also think that in the last, say, probably nine months, I’ve started to really pay attention to the startup space in cybersecurity and they’re doing some really cool, innovative stuff and normally I would have ignored them because we get so much stuff that it’s impossible to filter through what we want to actually pay attention to.

Anahi: But I’m finding that what these startups are doing are things that aren’t commercially available in terms of really through APIs and other mechanisms, being able to integrate our existing security stack with their products to do risk management, quantification analysis, threat detection. There’s so many other things that every time I see one of these, I think, whatever, it’s a startup, what can they possibly deliver? And then I meet with them and I’m really excited about what they promise. Again, some of them are very early stage, but I just think that there’s this groundswell of really cool companies entering the space that are really worth paying attention to.

Chris: I do want to get your opinion on the adoption of these AI technologies and specifically generative AI. So we have ChatGPT that continues to take over mainstream users. So how are you guys dealing with that?

Anahi: Governance is first, and so part of what we’ve done is at the network level, we’ve blocked a lot of the accessibility to some of these public gen AI tools because we’re regulated. We can’t have people throwing out patient information and identifiable information out there and us potentially becoming subject to regulatory scrutiny. However, we recognize that people have mobile phones and they want to get their work done.

Anahi: And to some degree, we might be creating blind spots by blocking as opposed to actually monitoring. But we have to block because of how regulated we are. And so we pull together a steer of leaders, clinical, business, regulatory leaders in the organization to start to talk through. We have to move fast because the train has left the building. How do we develop the policies, the guardrails, to effectively open up the use of some of these tools for our business and clinical people that want to leverage them? There’s? A lot of this could really help in creating efficiencies in an industry that’s not known to be efficient.

Anahi: So we shouldn’t be the people creating the friction. But our plan is to develop policies, create guard rails, communicate, because communication for people is so important so that they truly understand what it is that we’re asking of them. And then we’re going to make some really critical decisions about what we open from a public perspective and what we onboard from a contractual perspective to ensure that things like bias, hallucinations and data integrity and all these things are actually taken into account in our security assessments, in our contract terms and our RFPs and everything that we do. So we’re actually building all of the capabilities that we have for assessing vendors that we onboard.

Anahi: We’re introducing now AI as another component of everything that we assess.

Dave: I don’t remember the question.

Chris: Somebody get this man a drink. Yes, ask a question.

Audience Question: So there’s a lot of conversation around end users, right? And not having visibility, et cetera. So the end of the day, one human, you guys all mentioned it can make a mistake. So I guess what do you see in your mind as how do you control that? How do you have visibility into that? How do you put the guardrails up around your end users? What today are you doing? And I guess what’s the future look like in general?

Dave: I guess I get to take that.

Dave: End users. The easiest solution, get rid of them. Replace them with AI. Sure, chris appreciates that. One, replace everything with so there’s at least two, probably three avenues you go down with the end users. One is awareness, education, awareness, making sure they understand. They don’t need to understand the technology. They need to understand their role and its impact on whatever it is you do, whether it’s casinos, whether it’s hospitality, whether it’s whatever, whether it’s hospitals, the end users. The users need to understand that what they do is important to the point that they have access to other people’s information.

Dave: So awareness and education becomes a huge factor in that. And I think companies need to invest more money, more time into training the users, the employees of what their role is in that segment. Over to AI. AI can help with that. If we treat and we train the AI engines and the AI models to be able to talk to and respond to the end users in such a way that the end users will understand it, the problem has always been there’s a technical disconnect between the problem and the end users.

Dave: The problem is very technical and has very technical components to it. The end users don’t necessarily understand that. So that translation needs to happen where you are the target, you are the person that can stop this from happening. Technical people, whether it’s it whether it’s security, whether it’s audit, whether it’s privacy, they don’t understand how to translate that to people that don’t understand what the risks really are.

Dave: That’s where AI can come in. The technical people can ask AI, how do you create this in such a way that anybody can understand it? Or maybe not anybody. Maybe somebody in an end user role or a help desk role, or a nurse role, or a doctor role, or a banker role can understand this. AI can help create those models. So I think that’s critical to the success of being able to help understand it’s not a matter of how many gates do we put in place? What do we stop the end users from using? We’re never going to stop our employees from doing their job. We can’t do that. You stop the employee from doing their job, we’re out of a job.

Dave: So you need to enable them to do their job better. How do you enable them to do their job better? Educate them on what their impact of their job is. And I think AI is going to play a huge role in that.

Audience Question: Sometimes you have employees at your big company, right? Maybe they’re lower level, they don’t care. I hate to say it, but there’s people like that in every company, right? So how do you control like, okay, I’m trying to educate this user who doesn’t have the same kind of level of interest in your company as you guys do.

Tammy: So I think from my world, in a manufacturing space, it’s really about engaging with that end user because having the conversation about what they’re wanting to do and really understanding why they want to do it. Typically a lot of times, folks in the security space will be like, oh no, we can’t do that. Right. So I try to turn the conversation with them and really have a conversation about, explain to me why you want to do this, and let’s figure out how we can do it together so that we get you what you need, but we also do that securely as well.

Tammy: How do we get to everybody? It’s going to go back to that trading and awareness right. And really making people aware of, what are you doing with company data? What are you exposing? What’s the risk? And really getting people’s mind wrapped around that, as opposed to, I want to do this new, latest and greatest thing without thinking about the risk that actually comes with it. And the only way that happens is by raising the awareness across the organization about what the risks and the threats actually are.

Tammy: And again, if you can put it in personal terms for them, how would you feel if all of your personal banking information was now exposed as a result of an AI type event? Right. So it’s the same thing because company data, whether it’s intellectual property, whether it’s operational data that does trending, those types of things could open yourselves up from a risk perspective to your competitors, to nation states, whatever, depending upon the industry that you’re actually in.

Chris: Yes, sir. Do you have a question?

Audience Question: So I’m curious about the AI aspect for healthcare. You’ve got diagnosis being made by AI that are faster and more accurate than doctors in complex cases where there are difficult to solve cases. Right. How do you approach that from a cybersecurity? Are you looking at the general chat GBTS or are you looking at something like an AI specific to medical knowledge? Where do you fall on AI as it relates to helping doctors solve complex cases?

Anahi: That is an awesome question. So when ChaGPT came out and all these gen AI, the buzz came out. Everybody in our organization looked to me as the CISO to help guide this problem. And I had to remind everybody that this is not a cybersecurity issue, this is a data integrity issue. It is a clinical issue. It’s a regulatory and compliance concern. And that in order for us to collectively solve and provide answers to the organization, it couldn’t come from me and it shouldn’t be driven by me.

Anahi: I am part of the team that can help to create a solution for this. But for clinicians to be making clinical decisions based on gen AI, I can’t govern that. I’m not a clinician, never have been. Don’t even play one on TV. I can protect the organization from the threats, but I need the chief medical officer, I need the chief medical information officer, I need the data scientist.

Anahi: I need all of the people that understand not only clinical delivery, but what we can and can’t use AI for in order to make clinical decisions and build on those clinical decisions to have input. I need this data scientist to help us understand the language models and determine where’s the bias, because there is somebody’s training those things. And we already know from a clinical research perspective that there are certain groups that are treated medically different than other groups, just based on how the research protocols were developed and were communicated and how the clinical outcomes were and how clinical protocols were developed. So that’s a long answer, which I tend to give, David.

Chris: Well, they did just shut down the engine.

Anahi: Off, but yeah, here’s the thing. I think that the big message is it’s not the Sizzle’s problem to solve alone. It has to be a team of organizational decision making leaders to do it.

Tammy: I think the important thing is knowing who your stakeholders are in the organization and making sure that they’re part of the conversation with you, right. Whether it’s the clinicians, whether it’s the doctors, whether it’s the plan operations folks who are really working with you to understand what those risks are and how you prepare yourselves together to really attack those vulnerabilities at the organization.

Chris: Okay, well, the captain is pointing at his watch right now, telling me to hurry the hell up. So I need to ask a fun barcode theme question to end this night. If you were hackers from a pirate ship, and we’re docking here in the city of brotherly love, what bar would you venture to here? And what would your pirate poison of choice be?

Dave: Arrr Matey! I’m actually a country boy. I don’t know anything about this city. I know there’s Turnanag, which is near city hall. There’s a couple other Irish pubs in the city. But I’m a country boy. I gotta say, I gotta do something that’s much closer to my heart, much closer to where I live. There’s a place that’s very near and dear to my heart that I call the Underground Cantina. It’s actually a bar that I built with my own bare hands in my yeah, yeah.

Dave: The Underground Cantina is a place that myself and my two boys built during COVID We had nothing else to do, so we decided to blow out part of my basement and build a bar.

Chris: It’s unbelievable.

Dave: And that is the underground Cantina.

Chris: Give it up for David Lingenfelter!

Dave: And while most pirates love their rum know the Caribbean and all that sugar that’s down there, yeah, I’m a bourbon boy.

Chris: Let’s give it up for David in his bourbon! Pass the mic, David.

Dave: Bourbon of choice.

Chris: You need to pass the mic.

Dave: What?

Chris: We’re running out of time here, David.

Dave: I like local bourbons. I like anything that is dry and sour. Anything that’s good.

Anahi: All right, real quick, if the question is where am I watching the Super Bowl? Better be in Las Vegas.

Chris: That’s right, baby. Let’s go!

Anahi: Eagles win in that stadium. If it’s just my favorite bar, I would say at this point, I’m a Fairmount girl. So my favorite Bar St. Stephen’s Green. Closed. So kite and the key. Awesome owners.

Chris: Let’s go.

Anahi: Great neighborhood bar.

Tammy: I don’t have a favorite Philly bar. I am north of here, so the only time I’m usually here is with all of my cyber peeps. So I love being here, but I don’t have a recommendation. But Dave has his bourbon, I have wine, and I’m happy.

Dave: Okay.

Chris: All right, I’ll take it. I’ll take it to my esteemed CISOs that join me here tonight. I appreciate you sharing your wisdom, your war stories, and your wit. Barcodesecurity.com. If you haven’t checked out the show, check it out. We run a podcast. We run a live show, and this week, we announced our advisory arm of Barcode. So, yes, this is my full time job now. So if you guys are looking for some synergy between podcast, entertainment, and advisory services, please check us out at www.barcodesecurity.com.

Chris: Thanks for everyone showing up. This is your host, Chris Glandon, signing off. Everybody. Take care. Thank you.