The cybersecurity mantra at Jefferson Well being is “if we will’t do it properly, we’re not going to do it” says Mark Odom, CISO of the Philadelphia-based healthcare group. Such an method has proved integral to Jefferson Well being’s fast-tracked transition to a cloud-first, distant mannequin to fulfill the calls for of the COVID-19 pandemic.
The truth is, by placing cybersecurity on the fore of its cloud improvements, Odom believes the hospital has put in a extra environment friendly, agile, and risk-focused safety method to guard is 34,000 staff. “Our technique has been cloud-focused for just a few years, however numerous our platforms are very massive and usually you don’t transfer them over a interval of months, you progress them over years. The pandemic accelerated issues in fact.” Certainly, the hospital’s huge databases span healthcare, training, and analysis operations with some reliant on legacy, end-of-life techniques that wanted shifting to the cloud for larger flexibility, cost-effectiveness, and safety.
Cybersecurity tradition key to cloud adoption
Odom champions a tradition of cybersecurity in traversing this journey successfully, one thing that’s pushed down by his boss, a former CISO himself. “He will get the safety message, which actually makes it straightforward for me to deal with executing as a substitute of promoting him on why we have to do issues securely,” he says. “We had the safety runway to deliver issues on top of things in a method that was proper from the start – not coming in behind the curve like we’ve got completed with conventional on-premises infrastructure.”
Having the right safety tooling in place upfront prevented folks from spinning issues up insecurely, Odom explains, eradicating “powerful, uncomfortable” conversations round altering techniques in manufacturing and operation to fulfill safety requirements. “A really methodical, deliberate method which understood safety from day one has paid us dividends.”
Enterprise alignment is one other cultural factor central to Jefferson Well being’s cloud transfer, Odom says, with governance integral to positioning cybersecurity inline with wider organizational dynamics. “We have now various operations all with very totally different missions and necessities from a regulatory standpoint. It was very a lot about understanding the enterprise use circumstances for all these areas and their wants within the cloud area, after which spending an unlimited period of time with our cloud architects to get the cloud builds proper.”
To make sure he maintained this business-focused mindset, Odom says he frequently sat on analysis steering committees with fellow stakeholders and friends to encourage open dialogue throughout totally different contact factors throughout the group.
Distant working amid cloud growth
Jefferson Well being’s transfer towards a cloud-first mannequin was hastened by the necessity for agile, distant working amid the COVID-19 pandemic. “We have been already working towards having extra distant days for workers, so it was truly a really easy transition to pandemic mode,” he says, including that he was shocked by how few safety challenges have been encountered.
Whereas Odom acknowledges the pandemic-related threats posed to Jefferson Well being similar to spikes in assaults focusing on its vaccine endeavors, a placing cybersecurity profit quickly turned evident as his personal group spent extra time working from residence. “Should you think about any safety operations middle, most of us are already following the solar 24/7. Once we went distant, numerous our incident response actions turned simpler as a result of we didn’t have workers sat on trains, vehicles, or buses to/from the workplace. They now had full setups at residence. Let’s face it, the dangerous guys prefer to run their assaults on Friday night, Saturday morning, and so on. whenever you’re not within the workplace.”
Odom cites a 25% lower in response time via distant work, with a 20% general group productiveness enhance. “We’ve actually reaped the advantages of distant work, and we’ve got been in a position to apply the additional productiveness to the opposite challenges the pandemic caused.”
Nonetheless, management, coverage, and academic points wanted addressing to make sure distant working didn’t hinder the safety of Jefferson Well being’s wider day-to-day operations, Odom says. “Community-based safety instruments have been shifted to endpoint controls, and if you consider a cloud-first technique, that’s the course you’re getting into anyway. Should you’re actually aiming for a cloud mannequin, you’re not specializing in network-level controls – your controls both should be on the utility stage or the endpoint stage.”
Acceptable use insurance policies have been additionally bolstered as company gadgets displaced the non-public gadgets of staff working from residence, Odom says. “We figured over time there could be some blurring of labor/private use on company gadgets, and so we have been required to dam numerous non-authorized work websites similar to Google Drive.”
Not all non-work important providers have been blocked, Odom provides, however he and his group labored pragmatically to evaluate these with the best potential for hurt. “That clearly wasn’t all the time an incredible satisfier for the end-user inhabitants, however once more, coming again to the tradition they acquired it, understood it, and tailored.” Little doubt an influential issue right here was an elevated deal with cybersecurity consciousness coaching to embody new distant working dangers. “We doubled the quantity of safety consciousness coaching as a direct response to employees being additional away from the mothership.”
Enhanced danger administration via a cloud-first method
Reflecting on how cloud transformation and the introduction of a extra fluid, distant working mannequin has impacted Jefferson Well being’s cybersecurity place, Odom factors to a diversified method to danger administration. “We’ve gotten rid of numerous danger by going to cloud-first, distant working as a result of it forces you to section your setting. Should you’re not on the community, it’s much less doubtless that something [malicious] on an area endpoint goes to bounce to an endpoint sitting subsequent to it,” he says.
Cloud-enhanced danger metrics have confirmed key to a brand new danger administration method, Odom says. “If you need outcomes, you must measure these outcomes. Nonetheless, there comes a degree the place the labor of measuring outcomes diminishes the general worth, and also you spend extra time measuring that remediating. Zscaler gave us a chance to get automated metrics and measures in from day one, so I’m not spending FTE time or high quality data safety professionals’ time on measuring one thing – the software is measuring and the group is reacting.”
By way of improved metrics, Odom has been in a position to quantify a shift in danger from an annual loss publicity perspective, for instance, almost about the specter of ransomware. “Once we have been all on-premises, a ransomware assault was (and I’m making these numbers up considerably) say round $250 million price of affect, and there was a 2 to three% probability that it could occur. As we moved extra to the cloud, that curve lowers considerably, as a result of a ransomware assault doesn’t infect your entire setting, it could simply have an effect on a single service line, in some circumstances. Meaning possibly solely $4 million to $5 million price of affect, however the probability goes up as a result of you’ve that many extra fronts now. The cyclical price wherein we’re coping with these occasions is greater, however the affect is decrease.”
As for fellow CISOs in search of to undertake a cloud centered, non-network reliant method to safety, Odom advocates taking the bull by the horns as early as potential. “Everybody used to say that the cloud will not be safe – however that’s not an correct assertion in any respect. With cloud, we’re not inheriting among the legacy practices that on-premises introduced us, and it provides us the chance to do it proper. It may be safer; it simply takes the correct planning. You’ve acquired to be in entrance of it – don’t let it get in entrance of you, in any other case you’ll be combating towards some dangerous hygiene practices. The earlier you get in entrance of it, the higher you’re going to be.”
Copyright © 2021 IDG Communications, Inc.