Q: Welcome, Cecil. Thank you for joining us today. To start, could you share a bit about your journey as a CISO and how your perspective on the role has evolved over the years?
A: This is my third time leading a security team, and the first job… I thought I did a great job. Now after many years, I look back and I said, I didn’t really make a very significant improvement. I did manage the security. We didn’t get breached, but I wish everything I know today, I would have applied it, you know, 14 years ago. I always like to think that a CISO is a technical leader, and many years ago I realized that is no longer the case. Many of us are business leaders, and part of that is communicating, connecting people, collaborating, partnerships… I think that our job as a CISO is 80%, you know, making sure that you collaborate with your partners. Technology is still important, but I see that as a smaller part of our role. That’s why we have people underneath us to focus on the technology. As a leader of our cybersecurity program at R1, my focus is making sure that our program moves forward, that we’re working with our stakeholders, with our partners, not just internal leaders, but also our partners and customers. I think connecting with them almost on a real time basis is really key. When a major incident happens, or it could be us, it could be someone. It is really key that we can communicate really quickly because if you don’t… malware… you know, all the threats… they just spread so quickly. It’s a matter of minutes or seconds. So we have to make sure that we have established a great partnership with our partners and customers to make sure that we could collaborate in real time.
Q: Amazing. Before we dive into the details, could you give us an overview of R1 and its role in the healthcare industry? Additionally, can you share some insights into how your security team is structured and how it operates to support such a large organization?
A: Not many organizations are familiar with us. We are the back office of many hospitals and clinics, and some are large health systems, and we’re like a hub for many of them. We manage the back end, from scheduling to collection and billing, everything in between… the people, the process, the technology, we manage all of that. But of course, we can’t do it alone. We have to partner with our customers to make sure that we can operate continuously and securely. I started here less than three years ago. We were like 24,000 employees. I think we’re approaching 40,000 now. We’re growing organically. We’re also growing by acquisition. You probably saw us in the news acquiring a few companies along the way in the last few years. I inherited a team, and through acquisitions and growth, we’re able to build a very… you know, fairly large team now, more than 100 people now across different teams. We make sure that we group them according to certain disciplines or domains. We have folks that are dedicated for governance, and risk… compliance. We have people in operations and also spread across the world. So we have kind of, sort of a “follow-the-sun” model.
Q: It sounds like you’ve built an incredible team. Could you walk us through the initial challenges you faced when you first joined R1, especially regarding visibility into your systems and data?
A: Oh, that took a long time. That took a long time. I think the first key is visibility. When I got there. We want to make sure we need to understand what we have and not just devices… applications, users, their identities, our data… we have to make sure that we could discover all of them. At the same time, being able to assign risk, be able to assign their criticality to our organization, it took a lot of work, and it’s not security… not just security work a lot with our partners. I would say one of my best partners at the organization is the business resiliency team. They were responsible for ensuring that we know what critical applications we have, what critical data we have, and users and data as well.
Q: Collaboration with technology partners is crucial. How has working Symmetry helped you address these visibility challenges?
A: We were very glad to, you know, to have met you. Your technology has helped us give us that visibility that we didn’t have in the past. Your technology helped us be able to identify where our sensitive data is and who has access and even what’s the status of the data, if anyone has… When’s the last time someone accessed the data? So those are really valuable insights that we didn’t have in the past. In the beginning, we had to make… We had to protect data. That’s why our first reaction was: “let’s get DLP first.” Once we were able to get DLP implemented, that was the time when we were like, I think we’re ready for a DSPM product. A few years ago, we implemented our DLP, and that’s helping us protect our data from leaving the organization. And that paves the way for a DSPM solution as our second phase for our data security program.
Q: Given the sensitive nature of healthcare data, deploying security solutions in highly controlled environments is crucial. How important is it for your organization that Symmetry’s product can be deployed using an air-gapped method, and how does this capability influence your overall security strategy?
A: That helps a lot. You know, we want to make sure that we are protected. In the business of healthcare, PHI is our crown jewels, we have to protect them. Every healthcare organization at the center of… At the center of every healthcare organization is the ability for us to be able to use data and share it across different entities. That’s how when you go to the doctor, you get tested… That information gets shared to third-parties for, you know, the lab, you know, your billing, your insurance claims, all of those components. Data sharing is a key to our healthcare infrastructure, but at the same time, it is a massive endeavor to protect data sharing.
Q: It sounds like you have a well-integrated approach to security. How do you ensure that all your partners, both internal and external, meet the same rigorous standards that you set for your own team?
A: We have done a lot protecting our environment, and we’re not even there yet. There’s no… in cyber security, especially in healthcare, there’s no end date, no target date, because you’re constantly protecting and ensuring that data is available and always protected. At the same time, we cannot do everything without the help of our partners. My two best partners in the IT side of the house, the infrastructure and IT operations, they help me make sure that all our systems are up to date with patches. They help me make sure that every endpoint that you deploy out there are equipped with the right technology, with the right configurations. At the same time, we work with our partners from our risk and compliance to make sure that we meet our contractual obligations and compliance requirements. So it’s across the board, we work with data privacy to make sure that we always operate with, you know, with the right framework, making sure that data is always protected and in accordance to our data privacy requirements. We work with our partners from our service providers. We hold them at the same standard we are expected by our customers. We want to make sure that our downstream vendors are also complying with our requirements and standards. Our legal team, our partners… from contracting to working with third parties… As I mentioned a few minutes ago, collaboration with partners is really key. However, we need to make sure that all our partners comply with our contractual agreement.
Q: We’re glad to hear that our solutions have been impactful! Could you elaborate on the time-to-value you’ve experienced with our product, particularly during the proof of concept phase?”
A: Oh, its immediate, when you were working with my team, I was blown away when just a few days after we kick it off, we’re seeing the results of the POC. So it’s days, unlike in other technology, wait for months or even years, but, you know, time to value is very quick.
Q: DSPM has certainly established itself as a powerful tool for proactive data visibility, but do you see this as the full extent of its role in data security? How else do you think DSPM can evolve to further enhance your organization’s data protection strategy?
A: I think you could use it at any, any part of our lifecycle. Foundational even in incident response… I would even challenge that it is your day to day operational tool as you continue to run discovery, because data is constantly copied… across systems. Not just internal systems, but external systems. I’m a big fan of making sure that data is constantly being discovered in real time. You don’t want to know that you have new data repositories next week or two weeks from now. You want to know them today. When that data is created, a CISO should know that: “Hey, you have a new set of data on this server… and by the way, they’re all sensitive… and by the way, these are the people who have access to it.” I think that is really key, knowing who has access to it. Use of data is really key for every operation. We need to operate as a business, and I think the question is how much you protect that data and who has access to the data.
Q: Outside of the security team, was it difficult to convey the value to the rest of the business?
A: Oh, it’s easy. It’s easy. The moment I shared our first dashboard, our first report… we felt it’s already… we already ROI-ed. Of course, you didn’t hear that. No, it was really valuable. The insight that we got on the first report was like: “wow.” We knew that we have that data, but seeing that on paper was like a validation. Yep. Yeah. And we were able to validate what we were doing and I was like… “oh, yep, our concerns were correct.”
Q: How do you see DSPM tools helping CISOs manage and reduce their data footprint effectively?
A: Every organization… we’re guilty of storing, processing too much data. And I believe that this will enable many CISOs to be able to start validating what you have and ensuring that you could actually reduce your footprint… your data footprint. DSPM tools are, I would say, very useful for us to shrink that footprint, because every organization is just… we’re just storing too much data. I believe that a DSPM tool will help you shrink that footprint to a manageable level… an acceptable level that you could actually still operate as a business, but same time you could actually manage the risks.
Q: As DSPM becomes more prominent, do you believe it will soon be a standard requirement for most organizations?
A: It is going to be a mainstream requirement for every organization. We know that data is at the heart of everything we do, but if we don’t focus a lot of our technology, our people… to maintain and support and secure this, it’s just going to be the same problem like most companies. Data breaches will happen and everything will just… you’ve seen this in many organizations. When Splunk and other SIEM-ware was starting, you know, we kind of… we believe it’s important, but as you move on and… no, this a mandatory requirement. DSPM I believe should be a mandatory requirement for many organizations.
Q: Cloud adoption is a significant trend, but it comes with its own challenges. How do you navigate the decision-making process regarding cloud versus on-premises environments, and how does that impact your security strategy?
A: Well, I can be old school. Sometimes I like to make sure that data is within my grasp and in my environment, but at the same time, it’s not cost effective. Unfortunately, in this day and age, everything has to be in the cloud because of many reasons. One is cost. Second, it’s the availability. Many of our cloud providers are all, they’re all highly available. Than if I host it at that call location in my city. I think that is a decision that are made by not someone in security. At the same time, if they decide to be on the cloud or on-prem or hybrid, we need a technology that could adapt to both like yours.
Q: We’re honored to be chosen by your team. What were the key factors that led your team to select our solution over others?
A: There’s a lot of great DSPM solutions out there, but I would… we’re really impressed with what you are doing, and unfortunately, I’m not the person who was on those controls when we were evaluating, and I have to trust my team’s decision. They all unanimously voted for you, so you must be doing something good.
Q: Switching gears a bit, could you tell us more about CISO XC? What inspired its creation, and how do you see it evolving in the coming years? What is unique about Dallas?
A: No, we, we just got lucky in Dallas that we have… two of my friends decided one day that, “hey, you know, we should do this.” I don’t think it’s just Dallas. I think we’re mentioning Dallas because we started… CISO XC started in Dallas, we’re going to start growing CISO XC in different cities. A lot of people asked me, are you bringing CISO XC to our cities? And I said, no, we’re not bringing, we’re building the CISO XC in your community. We believe that the local leaders should be leading those communities, and I believe Dallas, we just started here, and that’s why the community is so tight. It was so easy to roll out CISO XC here in Dallas. I’m excited for Austin. We’re very excited about Atlanta. And in the next couple of years, you’ll probably see us in a dozen cities. So hopefully we will see Symmetry in those cities.
Q: It sounds like CISO XC has really brought the community together. What has surprised you most about the engagement and the impact it has had on the cybersecurity community?
A: So many, lot of cybersecurity leaders are, you know, we’re very proud professionals, but at the same time, I was surprised when we built the CISO XC community and we started bringing the advisors and all the community members… I was very surprised about the engagement, the openness. People were willing to… “hey, I have a job here.” “Hey, by the way, what SaaS solution are you using and why do you like it or not?” We started, you know, the chat group we have, you know, the other day we were talking about: “hey, who’s your MDR provider?” Just like 20-30 people provided their inputs there and why they like Company A against Company B. The engagement is very surprising because we all know cybersecurity people are mostly not, you know, they usually try to keep it to themselves. This community created that avenue for sharing. We bring all of the youngsters, even the vendor community. Some are at the start of their career, you know, you sit down with CISOs and many people found their jobs in those gatherings. I didn’t do an accounting, but I would say in the last two and a half years, I would say about 40, 30 to 40 people found their jobs in our community. Yeah.
Q: Thank you for sharing your insights, Cecil. It’s been a pleasure speaking with you today.
A: Oh, appreciate, and thank you for, thank you again for inviting me here.