Secure by Default & Design
Please, introduce yourself
Sandy Dunn, CIO /CSO. My primary responsibility is to oversee the systems and security practices required to support BreachQuest’s unique business goals and objectives. BreachQuest is developing its flagship incident preparedness platform, and it is such an exciting time. I’ve also met with many BreachQuest customers and supported BreachQuest’s advisory services.
You have been in the industry for 20+ Years. What first attracted you to cyber and information security?
I have always been intrigued and fascinated with technology. What initially sparked my curiosity on security and computers was a conversation in 1997. I spoke with a professor writing a novel about a real-world experience he had. A student in his class wrote an email about killing the president. Two days later, the FBI spoke with the student about his email. The professor also mentioned “Carnivore, ” a scary name for a packet sniffer deployed by the FBI at Internet Service Providers. I was immediately intrigued! FBI, ISPs, sniffers! This internet is more than joke sites! I was speaking with the professor because I was a salesperson at MicronPC, and he needed a new laptop to write his book. It was such an exciting time, and we all knew we were part of something that was changing the world.
When I joined HP, I was assigned competitive intelligence for digital sending responsibilities. I added security because I thought it was an important area and needed to be reviewed.
One character trait I have and share with many white-hat cyber security professionals is I’m not too fond of rules and boundaries. I immediately want to know why it’s a rule and start thinking of potential ways to get around it. After exploring every aspect of the rule, the positive result is when someone else needs to know why it’s a rule, and if it is secure, I have a fairly comprehensive answer.
You just came to BreachQuest from the Healthcare sector. What do you see as the biggest obstacle(s) for healthcare’s cyber security teams?
- HIPAA legal requirement to disclose any breach.
- The 18 HIPAA identifiers – A compromise of any constitutes a breach.
- Complexity and size of the organizations – Even smaller organizations can be very complicated.
- The massive number of audits – If time is spent providing evidence of the existing security controls, it leaves less time to implement and improve other security controls.
- A healthcare cybersecurity team faces the same challenge almost every other cybersecurity team faces: getting everyone in the organization to recognize security is part of their job.
How do healthcare organizations protect themselves when 60% of their breaches are from Vendors?
Healthcare faces the same supply chain security challenges impacting every other business and organization. Most organizations have a third-party risk program. I’ve even heard of organizations evaluating fourth and even fifth-party relationships, which is amazing and would require a large team. Most of us recognize third-party risk assessments relying on open-source data and questionnaires only to identify the worst vendors, which is progress. Still, we all need a better way to identify and address risk in business-to-business engagements. Vulnerabilities such as Logj4 are forcing great conversations.
How has the transition to working from home affected cyber security in the healthcare industry?
My own experience was positive. We were in a favorable position due to IT architecture decisions before the pandemic, which enabled transitioning to working remotely at low risk and with minimal effort. As a team, we saw an improvement in performance and efficiency. Working from home allowed people on the team can focus. They were not interrupted by “drive-bys” or “shoulder taps,” which happen in a busy office. As a leader, I find it’s challenging because you miss those face-to-face interactions to make sure everyone on the team is in a good place.
As a professor, what would you recommend for someone just starting in the industry?
I encourage people to get job experience outside of cybersecurity before joining a cybersecurity team. Understanding the business and users within an organization is valuable, so you have their perspective. Then you will recognize, as important as security is, the company needs to be successful. “We can be the absolute best cybersecurity team on the planet, but if the business fails, no one has a job.”
When I speak to people (students and others) about a career in cybersecurity, I am open about the challenges. There is little recognition for the 99% of things prevented but high recognition for a single failure that negatively impacted the organization. The people who thrive in cybersecurity are resilient, passionate, and see it as a calling, not a job. It’s also a constantly evolving technology, and there are always new threats. There is never a point where you feel you know enough or that everything is secure. A person must believe in the work and its importance because the problems are significant, and solving them requires deep resolve.
There is a gap between what students and most people outside of cybersecurity think we do and the type of skills and talent and what skills help you succeed. There is a perception that people in cybersecurity spend their time red teaming and hacking systems when that is a small part of what we do. Cybersecurity teams need development expertise, quantifying risk, auditing security controls, and of course, people with good communication, documentation, and project management skills.
As a woman in cyber who has been able to find a career they enjoyed, what is the value of diversity in leadership?
My own experience has been you learn something from every leader or manager, the more diverse, the better. Initially, the security discipline was full of misfits, and I gravitated to it because I fit in. The 1995 movie Hackers is a perfect example of diversity before diversity. At some point, I recognized what made me different, made me excel. I became focused on finding big problems to solve.