December 21, 2022
EP 17 – Highmark Health CISO on the Power of Storytelling
Too often when we think of the human element in cybersecurity it’s the insider threats. But more often it’s the hardworking protectors inside the organization who, while passionate about their jobs, would rather work to live rather than live to work. Although that reality can easily flip due to the nature of the cyber world. That’s where today’s guest Omar Khawaja, who’s been the CISO at Highmark Health for nine years, comes into the picture. As you’ll hear, Khawaja’s been on the cutting edge of cultivating talent and creating a cyber culture that empowers the human element of an organization with more than 37,000 employees. What you’ll learn: How the power of language, relationships and story can be used to effectively communicate cybersecurity strategies and best practices with partners outside of the space. And how the benefits of this can lead to better culture, retention of talent and business growth.
You’re listening to the Trust Issues podcast. I’m David Puner, a senior editorial manager at Cyber Ark, the global leader in identity security.
[00:00:24.100] – David Puner
Focusing on your people’s priorities is not only the right thing to do, it’s also good for business. Today’s guest, Oma Khawaja, who’s the CISO at Highmark Health, is very passionate about this subject. He’s very in tune with the human element in cybersecurity. Too often when we think of the human element in cybersecurity, it’s the insider threats. But more often it’s the hard working people who work to live rather than live to work. Although that formula can readily flip due to the nature of the cyber world.
[00:00:57.400] – David Puner
As CISO of an organization with more than 37,000 employees, Omar has the double challenge of being both the protector of his organization and the customers associated with his organization, as well as fostering talent. Because if the talent, the team, and the greater organization aren’t getting what they need to live their lives while growing professionally, they won’t stick around. In a time when the cyber security skills gap is such a big reality, it’s critical for businesses to foster and retain talent.
[00:01:28.940] – David Puner
As cyber attacks continue to grow in frequency and scale, demand for qualified professionals far outweigh supply, fueling a fiercely competitive talent war. Let’s get to my talk with Omer Khawaja, a fitting final conversation for 2022. He’s been in his role for nine years, which is a long run for a CISO, and as you’ll hear, he’s built an impressive practice and is super candid and insightful about it. Thanks for joining us this year. Look for new episodes of Trust Issues at the top of 2023. Have a happy New Year.
[00:02:06.920] – David Puner
Thank you for joining us today. Omer Khawaja, CISO for Highmark Health. The last we caught up with you was about a year ago, prior to launching this podcast, actually. For those who may have missed it, I was hoping maybe we could start off here by giving us a quick introduction into your role as Highmark Health CISO.
[00:02:28.700] – Omar Khawaja
I just hit my nine year anniversary about a week and a half ago.
[00:02:31.860] – David Puner
Wow. Long run.
[00:02:32.790] – Omar Khawaja
I don’t know how to start it off. Yeah. I sometimes feel like I am a CISO dinosaur, given how many years I’ve been a CISO at the same organization. But it’s been a fantastic run because I’ve seen the organization go from being a smaller organization of just health insurance. We used to be the Blue Cross Blue Shield when I started for just one or two states. We’ve now grown that to about four different states. We used to not have hospitals, and now we do. We started a tech services business and we started a pretty big offshore operation and print shops, and we’ve doubled in size. We’ll probably close the year closer to $26 billion.
[00:03:11.160] – Omar Khawaja
It’s been an exciting run for these past nine years and the new challenges that have come with every year running an organization. I also have the privilege of serving on a couple of boards. I serve on the board of a High Trust Alliance and of the FAIR Institute. One of my favorite roles is I get to teach at the CISO program at Carnegie Valley University.
[00:03:37.650] – David Puner
2022 has been an eventful year, to say the least, for cybersecurity professionals. Threats have reached new heights while skilled professionals are in higher demand than ever. How has the healthcare threat landscape shifted in 2022? How has your team adapted to tackle these challenges?
[00:03:56.700] – Omar Khawaja
I’d say just the velocity feels like it’s increased in 2022 compared to previous years. I think some of the reason it feels like the velocity has increased and there seem to be more attacks and more variants and more TTPs and more incidents, particularly those affecting third parties is because we’ve also grown as an organization and we’re also expanding digitally at a rate that we’ve never grown before.
[00:04:28.260] – Omar Khawaja
As our surface area expands, there’s going to be a lot more opportunity for exposure. The pace at which we have to operate to keep up to manage those inherent risks and reduce those down to a residual risk that’s at some tolerable level is an insane pace at which we’ve had to operate in 2022, and we’ll continue to do that.
[00:04:50.570] – Omar Khawaja
Every year, we feel like just to keep up, we’ve got to go significantly faster than we did the previous year. Internally, we have a program called Think Up that’s all about that. It’s all about how do you do things more efficiently, how do you do them a lot smarter?
[00:05:07.780] – Omar Khawaja
Some of that is automation, but a lot of that is giving people these newer middle skills that essentially end up being power tools that allow us to operate at 5 or 10 X because we’re using the right tools for the situation versus trying to bring old tools into a new context and new speeds.
[00:05:27.320] – David Puner
Interesting. As we look back at 2022 and we look forward into 2023, are there any particular trends you’re seeing that have emerged in 2022 that you think are relevant going into 2023, gaining speed?
[00:05:41.960] – Omar Khawaja
Two probably pretty significant trends that I think about a lot as I’m planning for 2023. One is around connection. How do we create strong connection, strong relationships, sense of belonging within the security team itself? Because if the security team operates as a strong unit and operates together, the security program is going to be much more successful.
[00:06:06.550] – Omar Khawaja
As we’ve been spending more and more time physically apart, if we’re not very deliberate about how to stay connected, how to make sure that the work that we’re doing is connected to something meaningful, something that we feel is impact that gives us a sense of pride and excitement and engagement in our job, then we’re going to lose the motivation and we’re likely not going to do the best work of our careers. We really desperately need people to be doing the best work of their careers otherwise, it’s going to be hard to run a successful security program given all of the threats and the risks that we face.
[00:06:42.540] – Omar Khawaja
But it’s also creating strong connections with our technology peers and with the business, with external third parties, and with our colleagues and other organizations that are working on managing similar risks. The more we can do to strengthen those connections, the more likely we’ll continue to succeed in the 23 and beyond.
[00:07:06.180] – Omar Khawaja
The other thing, David, I think about a lot that concerns me going into 2023 is the level of complexity. If we think about the variety of technologies that we’re tasked with managing and the variety of environments, a few years ago, we would talk about this notion of are you in Cloud A or Cloud B or Cloud C? For a little while, all dreamt of our enterprises picking a cloud provider and just being there. But the reality is for most large enterprises, we’re going to be in each of the large cloud providers, whether directly or indirectly.
[00:07:44.800] – Omar Khawaja
The number of environments we have to protect, the number of technologies in each of those environments that we have to protect, and the rate of change of each of those technologies is quite dramatic. On top of that, if we think about all of the controls that we’re deploying to protect each of those technologies, the preventive controls, the detective controls, the responsive controls that we’ve been accumulating over the years, seems to just grow and grow and grow in an untenable fashion.
[00:08:15.140] – Omar Khawaja
I think it’s really important for us to figure out how we right size controls, how we manage controls. We’re used to talking about and making a case for how do we add more controls, but there isn’t enough discussion about how do we know if these controls are of value? Which of these controls do we eliminate and we free up the time and space to then go focus on getting more value out of the controls that we have?
[00:08:41.840] – Omar Khawaja
I’ll say something that probably will seem pretty controversial, and it’s about defense in depth. Defense in depth is a phenomenal quality and it’s a positive thing. The reality is, no matter what the positive thing is or quality or characteristic, when taken to the extreme, a strength and a positive actually does at some point start to become a negative.
[00:09:04.920] – Omar Khawaja
A doctor will tell you if you drink too much water, that can actually cause you more harm than good. The same thing with defense in depth, I feel like sometimes we misuse it and we take it a little too far, and it becomes an excuse for instead of repairing the imperfections of our controls, we decide to just add more controls.
[00:09:24.860] – David Puner
Are you saying that everything in moderation applies to defense in depth?
[00:09:30.460] – Omar Khawaja
Yeah. I think it was Julia Child who said everything in moderation, including moderation. Yeah, we should be thinking about defense in depth and moderation, but taken to the extreme, is it really serving us or at some point, does it end up doing a disservice to us?
[00:09:46.320] – David Puner
It’s really interesting. First of all, first mention of Julia Child on an episode of Trust Issues, so thank you for that. As far as looking at these controls and which ones may be put on the chopping block, are you methodically doing that now, or is that something that you know you need to start to do in 2023?
[00:10:08.120] – Omar Khawaja
We have a process called the the Bosight process, and it’s based on a framework that we developed a few years ago, the Bosight Framework, and that’s the framework that we developed to say, if we’re going to go deploy something new in the environment, this is how we make a case for it and determine whether or not we should do it. It gets rated and ranked against other opportunities that we have.
[00:10:32.500] – Omar Khawaja
In the last year or so, the shift that we made is we said, we should just take that same framework and we should apply it to all renewals. Why is it that when we’re going to go spend a million dollars on something new, we give it this much scrutiny, a lot more scrutiny. But when we are going to go do a renewal for something that may be costing us a million dollars, we give it less scrutiny.
[00:10:56.260] – Omar Khawaja
Now, the reality is we have a fiduciary responsibility to the organization we operate in. I have to be super mindful of every dollar that I spend on the security program is one less dollar that’s going into improving care delivery at our hospitals or one extra dollar that premiums are increasing for our members.
[00:11:16.620] – Omar Khawaja
I’m okay with those things happening if there’s a really good reason for it. But if I’m just managing and maintaining another security shiny object because it’s already been there, that doesn’t feel like a really good reason. What I found is it’s not as much about technology. I couldn’t give you the name of a particular three letter or four letter technology and say to my CISO peers, Hey, you should all put technology X on the chopping block and you should stop paying for it because it’s a waste of time.
[00:11:46.260] – Omar Khawaja
From my experience, at least, it’s much more about how you’ve deployed and implemented that technology. What are the series of decisions that you’ve made, the leaders that have been responsible for that technology, the resources they’ve gotten, the priority that technology has gotten.
[00:12:01.560] – Omar Khawaja
Based on the deployment of the technology, it may be giving you a lot of value, but it may not be giving someone else value. It may just be shelf ware. In our case, when we’ve eliminated technology, it’s not because we think there’s something wrong with the technology, but it’s more so we think that the way we’ve implemented it isn’t delivering value, so we’re better off eliminating it.
[00:12:19.740] – David Puner
We’re coming up here on three years since the dawn of COVID 19, and a lot has changed with work from anywhere. I know that your team is no exception to that role. You got about 200 plus folks on your team working in more than 20 states. Prior to COVID, you were in two states. Overall, Highmark Health has 37,000 employees, I should add, as far as that connectivity goes, how do you foster connectivity when we are working further apart than we were prior to the pandemic?
[00:12:55.390] – Omar Khawaja
If there’s one word response to that, it would be deliberately. When we were in the office, we would serendipitously build connectivity because you’d see someone in the lunch line, you’d see someone on the way to the car, you’d see someone waiting in the elevator lobby. I can tell you, I’ve built lots of really memorable relationships in parking decks and elevator lobbies. In elevators, that’s where the initial spark happens. You see that same person two, three, four times. Then you’re like, Hey, can we spend 30 minutes or an hour together?
[00:13:27.400] – Omar Khawaja
That’s, in fact, how our organizational change management program was born is because the elevator was taking too long and there was an organizational change management expert happening to be waiting at the elevator. Then I discovered this whole discipline called organizational change management. Who knew there was a science around how you get people to evolve and change and adopt certain behaviors that are meaningful.
[00:13:50.840] – Omar Khawaja
But serendipity, there isn’t nearly as much room left for serendipity. Things won’t just spontaneously happen. We’ve got to be way more deliberate. We’ve got to provide those forums. We’ve got to give people that sense of belonging. We can’t try to get 100 people together and say, Let’s get together and have a meaningful conversation. We’ve got to do it in smaller groups.
[00:14:12.860] – Omar Khawaja
For many years, even pre COVID, I did something called an Ask the CISO session. I’d get groups of eight or 10 people, maximum 12 people together. That’s been wonderful. I do probably about 40 to 50 of those in a typical year.
[00:14:26.300] – Omar Khawaja
We do these things called Working Well sessions. It’s not about project updates, it’s not about security updates. It’s really about how are we working together and how do we foster connectivity, how do we teach each other things. We’ve had people come in and do lessons on meditation and breathing and talk about yoga.
[00:14:44.340] – Omar Khawaja
I had a colleague of ours that talked about how she had survived cancer and some of the learnings from that and spreading awareness for that. It’s really just bringing the humanity out that we all have. In the past, our humanity would show up not in the meetings, but it would show up in the spaces between the meetings. We’ve got to find room and space for those very human connections again.
[00:15:06.550] – David Puner
Finding space for while still redefining the model of how we work and work together, it sounds like because if you’ve got a team scattered over 20 plus states, you’re not all of a sudden going to require them to move to Pennsylvania or Delaware.
[00:15:24.180] – Omar Khawaja
Yeah, absolutely. One of the biggest influences on me this year that’s really helped me figure out how to get that connection is a book called Love as a Business Strategy. My team and I, all the managers, read this book earlier in the year, and their tagline was bringing humanity back to the workplace.
[00:15:45.940] – Omar Khawaja
After reading the book and listening to some of the author’s podcast, we said, This is the real deal. They’re really working and digging deep to do the hard work of saying, How do we actually bring that humanity and that human connection back to the workplace. For the last eight, nine months, we’ve been on this journey and aligning to a lot of the principles and the strategies in the book to do exactly that.
[00:16:12.180] – David Puner
Really interesting. You’re thinking a lot about culture, and I know you also think a lot about cybersecurity culture, which has been a particular passion of yours.
[00:16:22.090] – David Puner
Then there’s the cyber score program, something you’ve implemented to engage individual employees and provide actionable feedback on their own security practices. What’s going on with that program these days? Are there any new initiatives you’ve rolled out to weave security even deeper in your organization’s culture?
[00:16:38.700] – Omar Khawaja
David, when we think about programs and when we think about change, we think about even one of of the things that we’re big fans of is measurement and metrics. Because to drive something sustainably and to do it at scale, if you can build the right dashboard that resonates with the audience, which means it’s something they understand, it’s something that they believe they’ve got control over, and it’s something that’s meaningful that they’re motivated to help improve, that’s where the magic happens.
[00:17:08.370] – Omar Khawaja
When we wanted to drive changes on the technology platforms, we went to each of the technology platforms and we worked with them and we created something called the secure index. When we paid attention to how incidents happen, and the Verizon DBIR says 85% of all incidents happen because of some involvement of human element, we said, well, how do we get the humans engaged? How do we not talk about humans as the insider threats?
[00:17:34.020] – Omar Khawaja
How do we turn humans into an asset? How do we engage humans positively? That’s how the cyber score was born about maybe four or five years ago, and we’ve continued to deploy it. Essentially, it gives every human in our enterprise a score.
[00:17:52.180] – Omar Khawaja
An employee can go to cyberscore.highmark.com, and based on eight simple factors, they could see exactly what their cyber score is. They are told exactly what they can do to improve their cyber score if they’d like to, and what factors are causing their cyber score to be low, almost fashioned around something like the Fico credit score.
[00:18:12.200] – Omar Khawaja
If you think about compliance training or security training, the annual training that almost all of us are subjected to in almost all organizations for the last many, many years, people aren’t excited to take that. I know it’s odd for me as the CISO to say I am not excited to take the annual security training, but there you go, I said it. It’s not that exciting to take.
[00:18:35.180] – Omar Khawaja
I said to the team, let’s make the annual training as short as possible. I f it’s going to be painful, let’s keep the pain as minimal as possible. That’s the best we can do. But let’s augment that with things that people want to do. In a typical year, we have over 10,000 people across the Highmark enterprise that voluntarily take cybersecurity training.
[00:18:58.580] – Omar Khawaja
No one sends out an email saying, do this. It doesn’t show up on any checklist. There’s no naughty list. The CEO doesn’t say do it. Omar doesn’t say do it. Your boss doesn’t say. All we say is go check out your cyber score. It turns out a lot of people want their score to be a little bit better and they realize they can take some training.
[00:19:15.320] – Omar Khawaja
But then the training content has to be awesome. We partner with a training provider that produces phenomenal content that’s actually exciting. I get emails saying, Omar, when can we take more of this training? When is the next series coming out? Because this was actually fun. Turns out there’s no rule that says the training has to be boring. We can actually make it fun and engaging and exciting. When we do that, people actually want to take it.
[00:19:39.200] – David Puner
Do employees who take the training and score high get a free pair of Ferrari sunglasses or something like that? Or is it really just love of the game, pride a situation?
[00:19:50.740] – Segment 2: Omar Khawaja
It’s mostly that. For the first few years, they would get nothing. Now, I’d have different people coming to me and say, “Hey, Omar, I’m really proud. I’ve got a score of 95. I’ve got a score of 100 on the cyber score.” This year, the team said, “Hey, we should create a champions program.” For people that have maintained a score above a certain threshold for six months, or a year, or two years, they get a bronze, or a gold, or a silver certificate.
[00:20:17.360] – Segment 2: Omar Khawaja
One of the funnier moments of the year is I got an email from myself congratulating me for getting a certificate. My immediate response was, “This sounds like it could be fishy.”
[00:20:28.940] – Segment 2: David Puner
That’s right. Continuing our people focus, what are you most proud of when it comes to your team’s change management efforts? Are there any roadblocks or challenges you were able to overcome in the last year, any anecdotal stories about individual employees, or changing behaviors, or naysayers becoming cybersecurity champions, or anything like that?
[00:20:50.760] – Segment 2: Omar Khawaja
One of the things that we really did in earnest, we kicked this off last year, but this year really got its wings, is the Secure-up program. That’s all about when the business wants to go do something new, a new use case, a new application, it’s in the cloud, a new medical device, we want to make sure that that’s happening securely. That goes through something called the Secure-up process.
[00:21:16.180] – Segment 2: Omar Khawaja
That creates a lot of friction because now we’re saying to the business, you’re not going to have permission, what we actually call an authorization to operate, an ATO, until you’ve gone through the process. It takes doing a very deliberate job of explaining why we’re going through this process to help overcome obstacles. Our first guiding principle in ISRM that we put together maybe about six or seven years ago is first why, then what.
[00:21:45.120] – Segment 2: Omar Khawaja
It’s so easy, and it’s so convenient, and it’s so tempting for us to talk about the things we’re going to do. The reality is they end up on deaf ears, because the other person isn’t even sure why they should try to understand the gobbledygook that you are sending their way, because it doesn’t make any sense to them. If they don’t know why it should make sense to them or why they should care, they’re not going to spend any energy, they’re not going to invest any energy into trying to understand and trying to figure it out.
[00:22:11.980] – Segment 2: Omar Khawaja
Explaining the why first and then talking about the what at the very end is really a good thing to do. Same thing here, when we’ve had the multiple business areas that came to me and said, “Oh, Omar, this is taking too long.” I said, “Look, I understand, but you need to get this done. This is really important.
[00:22:30.500] – Segment 2: Omar Khawaja
Here’s the reason we’re doing this. These are the types of incidents that happen in these environments. This is what we’re preventing. These are the costs that you would incur. These are the reputational damages that you could incur.
[00:22:42.120] – Segment 2: Omar Khawaja
You as the business owner do have the ultimate decision-making authority. If you want to accept a lot of this risk, you can do that. However, we’re trying to go down this path, so there isn’t nearly as much risk to accept.”
[00:22:54.720] – Segment 2: Omar Khawaja
I could tell you, when you have that type of a conversation and you do it in words that people actually understand, there’s almost no business leader that I come across that doesn’t answer, would respond with, “That makes sense. Thank you for explaining that, and I appreciate the hard work that your team is doing.”
[00:23:09.890] – Segment 2: Omar Khawaja
Now, it’s really, really important that on the other end of that, me and my team work really, really hard to say, “If I know the business is really interested in speed to market, that I am conveying to them that we’re working really, really hard to get this done as fast as possible.”
[00:23:27.740] – Segment 2: Omar Khawaja
If the business knows I’m trying to get it done as fast as possible, then the business is going to be very willing and supportive to say, “Let’s make sure we do it as securely as possible as well.” When we talk about Secure-up, the objective is very simply move forward swiftly and securely. If we have those dual missions in mind, it’s a beautiful marriage between the business and security.
[00:23:49.880] – Segment 2: David Puner
You were interviewed recently for the Wall Street Journal, and you mentioned that practice areas like storytelling, among other communities of practice you created a few years ago, is important for leaders in your organization to know and learn.
[00:24:05.380] – Segment 2: Omar Khawaja
The initial driver was simply a quote that I had read from the Institute for the Future, and the quote said, “80% of all jobs that will exist in 2030 are going to be jobs that did not exist in the year 2020.” To me, I’m a leader of people. I’m also a leader of the security program.
[00:24:26.760] – Segment 2: Omar Khawaja
While those two are very much interconnected, it’s important for me to make sure I’m fulfilling both responsibilities, the responsibility to the people I lead, to make sure that they are successful as individuals, and also responsibility of the program I lead to make sure I deliver on the objectives that the business has hired me to deliver on in that role.
[00:24:49.700] – Segment 2: Omar Khawaja
When it comes to communities of practice, it turns out that it serves both those objectives. If people aren’t going to be at high market in the security department, if they’re not going to be acquiring new skills every single year, then by the year 2029, they’re going to be looking upon a cliff and thinking, “I don’t think I’m going to have a job next year. What do I do? Why did my bosses not help me? Why didn’t they prepare me for this?”
[00:25:16.620] – Segment 2: Omar Khawaja
2029, it’s going to be too late to learn brand new skills. We’d rather we’d be refreshing and updating those skills and developing people every year, every month, every quarter.
[00:25:26.520] – Segment 2: Omar Khawaja
But also, from the perspective of the program, if we don’t know how to engage with the business, if we don’t have great skills like storytelling, if we don’t know how to align with the technology teams and we don’t understand scale to agile, if we don’t know how to go to the CFO and explain security in terms of dollars and cents using risk quantification in a framework like FAIR, if we aren’t leveraging enough automation to keep up with our adversaries that are automating very heavily, if we’re not keeping up with all of this data that we have and being able to run analytics outside of Excel to actually be able to mine for insights and make decisions that are way smarter than when we try to do them manually in our head, there’s no way that we’re going to be keeping up. Those communities of practice help us make sure that we’re investing in our people, and that in turn also make sure that we’re running a program such that we’re getting the best outcomes for the least amount of effort.
[00:26:24.740] – Segment 2: David Puner
It’s really interesting that you’re thinking about this because these are skills that are not on the nose cyber skills per se. These are complementary skills. Obviously, we talk a lot in the industry about the cyber skills gap and the massive skills gap for that matter. That was another thing that you discussed in the Wall Street Journal article.
[00:26:46.120] – Segment 2: David Puner
In that interview, you said that in some instances, you found that you don’t need cyber experts in cyber security roles. How have you come to that realization? How do you hire or structure extended teams? What kind of candidates are you looking for? Are they actually applying for cyber security roles? How do you determine, “Here’s somebody who’s not a cyber careerist, but I think that I see some potential there, and I’m going to try to bring them over to my team?”
[00:27:14.720] – Segment 2: Omar Khawaja
Having an open mind and just setting aside hubris and ego and saying, “What are the skills that we need?” Right before our conversation, I was speaking with a team manager on my team. When we hired him, he was a schoolteacher teaching math.
[00:27:36.980] – Segment 2: Omar Khawaja
He’s one of our best managers on the team. In the space that he’s in, he had zero expertise in that space. But he had a friend that worked in security, and he said, “Omar, you’ve got to hire this person. This person is passionate about learning. This person is passionate about growing. This person is passionate about people.”
[00:27:57.560] – Segment 2: Omar Khawaja
I said, “Fine, let’s bring him in. We’ve got an open position. Let’s see how fast he learns and grows.” He learned and grew incredibly fast.
[00:28:05.550] – Segment 2: Omar Khawaja
We’ve had people over the years. I remember we had a freshman that was going to school for psychology. At the end of his eight weeks, he gave a presentation that just blew me away.
[00:28:18.410] – Segment 2: Omar Khawaja
You see multiple of these situations. David, it’s hard to then say, “You know what? I need someone with a degree in computer science or cybersecurity that’s done this for six years.” Well, I just saw this kid who just finished his freshman year come give a presentation that would blow away most of the presentations given by people in my team that have 10 years of experience.
[00:28:40.140] – Segment 2: Omar Khawaja
You have enough of those interactions, and you’re like, “These assumptions that we make up, they’re fabricated.” You have that mix. You create an agile organization. You create a learning organization. You bring people in.
[00:28:55.480] – Segment 2: Omar Khawaja
You give them the opportunity to learn. You give them the opportunity to move into different roles, and you create a climate for them that allows them to be their best and to do their best work.
[00:29:06.860] – Segment 2: Omar Khawaja
It doesn’t always succeed. There’s absolutely cases where it doesn’t work well. But the ones where it does, it’s just wildly successful. It’s amazing what happens.
[00:29:17.420] – Segment 2: Omar Khawaja
One of my greatest joys being a leader in an organization is getting to see people learn and grow and realize potential that they didn’t even think they had themselves. Selfishly, that’s one of the reasons I love doing it, and it’s nice to see the underdog win.
[00:29:35.780] – Segment 2: David Puner
Is there something that someone who’s new to a cybersecurity role and coming from an entirely different work trajectory, is there something they typically have difficulty adapting to our understanding when it comes to the cyber role?
[00:29:47.980] – Segment 2: Omar Khawaja
When we’ve had people move in from other parts of the organization, from a more traditional IT role, where they may have just been focused in one area for a very long time of IT, it is a tough transition to come into security, because security after that feels a little disorganized. It feels like the Wild Wild West. It feels like, “Why don’t we have our plans defined for the next 12 months? Why are we deviating from the plans we said we would execute on a year ago?”
[00:30:16.350] – Segment 2: Omar Khawaja
Being able to adapt, being able to change is really, really important. I think that’s much more a mindset that the individual comes with. If someone comes in with a growth mindset, someone is comfortable operating in ambiguous environments, those are probably two things. Maybe the third thing I’d throw in is someone analytical and curious.
[00:30:36.450] – Segment 2: Omar Khawaja
If someone has those three or four characteristics, they could have studied biology for all I care, and they could probably be very successful in cybersecurity if they’re willing to put that learning mindset on and putting the effort in.
[00:30:50.820] – Segment 2: David Puner
CISO is a tough job, very stressful. Do you have a support network of other CISOs that you’re talking to regularly?
[00:31:00.280] – Segment 2: Omar Khawaja
Yeah. David, Carnegie Mellon, by many accounts, is the place where cybersecurity was invented, and particularly the CERT, the Computer Emergency Response Team at the Carnegie Mellon University. As part of the program, I’m one of several faculty members that have the privilege of teaching and many other CISOs. I get to interact with many other CISOs as part of that program.
[00:31:27.260] – Segment 2: Omar Khawaja
Then through my board appointments at HITRUST and the FAIR Institute, I also get to spend time with lots and lots of CISOs. Then just generally, having been a CISO for so long, I’m very fortunate to have befriended many people. If it weren’t for them, I don’t think I would be where I am.
[00:31:48.060] – Segment 2: Omar Khawaja
We need some of that network to console each other, to let us know, “Yes, it’s hard, but you’re going to get through it. It’s not the end of the day. You’re not the only one that’s going through it. It’s not supposed to be easy.” We definitely need that network of motivators around us and inspirers around us and sometimes a shoulder to cry on or sometimes a shoulder to another person to vent to.
[00:32:16.710] – Segment 2: Omar Khawaja
But one of the things that I found, and when I talk to other leaders with different roles, I don’t think anyone has what CISOs have. The amount of camaraderie that we have is unimaginable. I can go talk to the CISO of my closest competitor, and he will tell me or she will tell me whatever I ask them for.
[00:32:39.600] – Segment 2: Omar Khawaja
When I talk to some of my own executive peers at Highmark and I say to them, “I know the CISO of X company, and Y company, and Z company, and they’re my friend. When this incident happened, I reached out to them, or they reached out to me and where we work through this.” They’re like, “Omar, how are you friends with them?”
[00:32:58.360] – Segment 2: Omar Khawaja
Because we’re not competing on cyber. We’re competing on our core business. But cyber is something that we want to help each other on. That camaraderie is absolutely fantastic. Honestly, if that camaraderie did not exist, I don’t think I would have survived as a CISO this long.
[00:33:15.480] – Segment 2: David Puner
Great. Could you share your supply chain security philosophy and how it factors into safeguarding systems and delivering patient care?
[00:33:22.910] – Segment 2: Omar Khawaja
It’s twofold, maybe two fronts that we focus on and then a lot of stuff in the middle. On the one hand, for our own environment, we want to make sure that we’re actively scanning the environment to identify if there’s any gaps as best as we can. That is definitely an imperfect science to do that for every single component and subcomponent of every application, and every class, and every library that we have running across the enterprise within our four walls and in clouds and elsewhere. There’s that aspect of it.
[00:34:01.020] – Segment 2: Omar Khawaja
Asset management and things like a software bill of materials become very core components there. Partnering with the technology organizations and helping them understand the value of this. This is maybe a little sadistic to say, but Log4j helped a little bit because we understood the amount of time and effort and pain we had to go through, because we didn’t have a great SBOM. After that experience, no application team wants to go through that again. Now, we’ve got a burning platform to go deploy SBOM and do that well.
[00:34:34.760] – Segment 2: Omar Khawaja
The other aspect of it, Dave, I think which is really important is to apply some responsibility and expectation to our third parties to take care of the components that they’re using. On the one hand, when I go and buy something, it’s up to me to go look at the packaging, to go look at the expiration date, maybe to go pick a grocery store that I am going to feel comfortable with. I’m probably not going to go buy milk from a grocery store that I know has routine power outages because the milk may be spoiled. I’m not going to feed that to my three-year-old, because in spite of his antics, I still love him to death.
[00:35:17.160] – Segment 2: Omar Khawaja
But we’ve got to practice responsible care when we’re acquiring things. But at the end of the day, it really is up to that third party to make sure that they’re telling us exactly what ingredients are on there. If there is an issue that they are issuing a recall, they’re issuing a patch, they’re communicating with us, they’re letting us know versus saying, “We gave it to you. It’s no longer a problem. You go figure it out.” I feel like as an industry, we haven’t quite figured that out.
[00:35:45.060] – Segment 2: Omar Khawaja
In the world of food products, there’s nutrition labels, and the USDA regulates that. In other worlds, the underwriter’s lab gives you a stamp that says, “We feel that this device is not going to electrically shock you or set your house on fire, so you could trust it.” I think we need something as simple as that.
[00:36:11.000] – Segment 2: Omar Khawaja
The only thing that makes it complicated in our world is it can’t be point in time. It has to be an ongoing seal of approval to say, “It’s gone through this process. It may not be sufficient, but it’s at least a starting point.”
[00:36:25.020] – Segment 2: David Puner
We’ve already talked about how stressful a job CISO is and looking at 2022 and your nine years of service as a CISO, how did 2022 rank as far as stress levels go? Then going into 2023, how do you intend to manage the stressors of the job and try to avoid burnout, if that’s something that’s actually on your mind, of course, and team stress as well?
[00:37:00.280] – Segment 2: Omar Khawaja
David, absolutely. I think that’s a fantastic question. Burnout has been on my mind for the last two and a half years, ever since the beginning of COVID. If I’m honest, I feel like this year, I definitely hit burnout for several months.
[00:37:18.440] – Segment 2: Omar Khawaja
By far the best tool a CISO, or for that matter, any leader has is the team. If you have a strong team and you’re willing to be vulnerable with them, you’re willing to be honest with them, they can do a lot of the work that you think you have to do yourself. As leaders, if we just let them do that and if we give them the opportunity, I could tell you what I found over and over again is that my team was capable of doing a lot more than even I thought they were capable of doing it and they’ll rise to the occasion.
[00:37:51.600] – Segment 2: Omar Khawaja
I’ve delegated a whole lot more in 2022 than I’ve ever done in my previous eight years as a CISO. I expect the team to take on more and more of the work and take it on and to also find times of being able to slow down, times of quiet, times of disconnection.
[00:38:15.220] – Segment 2: Omar Khawaja
For instance, this past Saturday, I did something that I’ve never done since the day I got my first smartphone, which is I did not touch my phone for 24 hours. I was so afraid the battery was dying, but I didn’t even want to turn it around and see what the battery was.
[00:38:31.740] – Segment 2: Omar Khawaja
I said to my daughter, “Can you tell me if the battery is dead on the phone or not? I just want to make sure all the message has come through,” because at some point, I’m going to need to go to it. But it was one of the best things I’ve done. I’ve never done that before in my life. That’s important.
[00:38:45.330] – Segment 2: Omar Khawaja
One of the other things I’ve instituted over the years is, and I made this a requirement for every leader on my team, is that they identify one of their direct reports to lead their team for an entire month of the year. That gives the leader an opportunity to step back. They can go on vacation, they can focus on training, they can focus on planning, or strategy, or big picture, or thinking, whatever it is. But they no longer have to show up to their own meetings because they’re no longer in their role, their direct report is.
[00:39:18.530] – Segment 2: Omar Khawaja
David, I think part of the reason it’s really important is because as leaders, we’re role models, we set the tone, what we say, what we do, how we behave. Whether we like it or not, I’ve realized other people are looking at it and paying attention.
[00:39:31.590] – Segment 2: Omar Khawaja
If I’m not willing to share that I’m not perfect, if I’m not willing to share that I don’t have it all figured out, if I’m not willing to share that, yes, I’ve hit points of burnout, then what we’re implicitly doing is we’re telling our teams that it is not fair for them to feel or believe any of those things. If we’re doing that, we’re actually being horrible leaders. Ultimately, all of us, as leaders, are trying to do the right thing.
[00:39:54.990] – Segment 2: Omar Khawaja
What we would rather be are the reliable leaders that the people in our teams that report to us really deserve. That’s what we should be focusing on. So much of that is reducing the complexity within our programs to a level that is an absolute minimum. It’s also about bringing humanity back to the workplace, encouraging connections, and giving people the opportunity to be their human selves, and bringing their whole selves to work every day.
[00:40:26.440] – Segment 2: Omar Khawaja
If we do those things, we are going to be very successful leaders, running successful programs, and keeping the adversaries out of our way.
[00:40:34.890] – Segment 2: David Puner
Omar, thank you so much for coming on to the podcast. Really terrific speaking with you. Looking forward to catching up with you again.
[00:40:42.540] – Segment 2: Omar Khawaja
No, I’m very appreciative and grateful for the opportunity to be on the podcast. Thank you for the very thoughtful questions, David.
[00:41:00.780] – Segment 2: David Puner
Thanks for listening to today’s episode of Trust Issues. We’d love to hear from you. If you have a question, comment, constructive comment, preferably, but it’s up to you, or an episode suggestion, please drop us an email at [email protected], and make sure you’re following us wherever you listen to podcasts.