What is the Cost of Loss? 

0:00:00.0 Raghu Nandakumara: Welcome to the Segment, A Zero Trust Leadership podcast. I'm your host, Raghu Nandakumara, head of Industry Solutions at Illumio, the Zero Trust Segmentation Company. Today I'm joined by Richard Staynings, Chief Security Strategist at Cylera, a pioneer in medical device and healthcare OT security. Richard is a globally renowned thought leader, author, public speaker, advisor, and advocate for improved cybersecurity across the healthcare and life sciences industries. He has served on various healthcare security working groups and teaches postgraduate cybersecurity and health informatics at the University of Denver. Today, Richard joins us to discuss how the role of the CISO has changed over the past 30 years, the IT challenges facing modern healthcare organizations and today's cybercrime landscape.  

0:0:54 Raghu Nandakumara: Hi, Richard. It's fantastic to be able to speak to you and thank you for joining us on this podcast. So I mean, I've been looking through your background, your CV, your website, and it's a severe understatement by saying that you've had quite the illustrious and storied career. So let's start by you taking us on your journey through cybersecurity from where you started to where you are today.

0:01:19.3 Richard Staynings: I hope we got enough tape here to record all that but...

0:01:21.4 Raghu Nandakumara: That is the podcast, by the way. That's the episode.

0:01:25.6 Richard Staynings: So let's just say I've been in the cybersecurity space for probably 30 years, long before anyone called the space that we're in, cybersecurity. It was kind of information security and compliance and risk which has all come together into what we call cybersecurity today. I've tended to focus across a number of industries. I've been CISO, Chief Information Security Officer, for financial services, for healthcare entities, for other industry verticals. I spent a lot of time in education as an adjunct professor of cybersecurity and health informatics at the University of Denver. I get to do a lot of great conferences around the world as part of my role for Cylera where we'll probably talk about in a little bit more detail. I've tended to focus, throughout my career, really on the intersection of cybersecurity and healthcare, partly because I grew up with a medical dictionary in my mouth, thanks to a father that worked for the NHS. You can probably tell the British accent here, and partly because I was the only one who could do those HIPAA assessments when they came out back in 1996 in the US. So, I kind of got lumped in here actually.

0:02:33.0 Raghu Nandakumara: I was actually gonna ask you, how did you end up in the healthcare security, but you've partially answered that, but we'll come back to that. When you were talking about your career, you talked about sort of doing that CISO role across a number of organizations, number of verticals, and of course you've been in this field for 30 years plus. So how have you seen the role of the CISO evolve in that time period?  

0:02:54.6 Richard Staynings: Oh, absolutely drastic revolution, particularly in the last 5 to 10 years. So I think the security leader, if we use that as the generic term here, was really someone that came up through IT. It may be in the person who was responsible for initially configuring the firewalls or maybe the person that did the annual risk assessment for compliance reasons and checked all the boxes. It may have been someone else that came in in a kind of a lateral move, what we would describe as a lateral move today, into the cybersecurity space. The role now has changed to being an executive leader. It's now come to sit at the right hand of the CEO of an organization, often with direct reporting into the CEO because the risk, the enterprise risk of the organization is really dependent on the CEO and the board of directors understanding their cybersecurity risk posture.

0:03:51.9 Richard Staynings: It's no longer a technology discipline of reporting up through the CIO or the CTO through to the lofty executive committee. It's now one of direct reporting and direct risk explanation. I think that's brought around a significant change in the types of skills that security leaders need to present. They need to understand the business, they also need to be able to understand the technology, but they need to be able to most importantly, translate cybersecurity technology risks into business enterprise financial risks so that the CEO, the CFO and the board of directors can make the appropriate decisions. They are after all the ultimate arbiters of risk in any organization.

0:04:36.4 Raghu Nandakumara: And I think that, paraphrasing what you just said about that security leader now being able to connect business decisions with security decisions and hence the need for the security leader to be essentially sitting on that C-suite right at the top level of management, from your perspective, why has it taken so long for that evolution to happen. And is that really the right place for the security leader to be sitting?  

0:05:02.5 Richard Staynings: I'll answer those in reverse order, right. I definitely think that the CISO needs to have a direct working relationship with the CEO, whether that's a direct reporting relationship or whether it's via the Chief Risk Officer or someone else, that it makes sense. And each organization is very different from another. So, for me to come up with a generic statement and say, all CISOs should report to CEOs, might not actually fit the organizational structure too well. I think there definitely needs to be a direct relationship there, and I think the CISO also needs to get exposure to the board to be able to present their analysis of the facts, their recommendations to the board in a business manner, rather than a fear, uncertainty, and doubt manner that a lot of my colleagues have done so over the years. The sky is falling, give me some money so I can buy a new firewall, or I can hire another security analyst to watch all these logs that are bombarding me. It's an evolution, and I think we've reached the point where that relationship needs to be at a higher level than what it is in many organizations today.

0:06:08.8 Richard Staynings: Going back to your first question, I think there's been an evolution in cybersecurity over the last... Certainly the last 20 years. Probably 15 more markedly so. Security was seen as a necessary cost of business. It was a necessary cost that had to be shelled out every year, primarily because of chump compliance requirements because an organization was subject to HIPAA or GLBA or PCI DSS or one of the multitude of other regulations out there, that businesses had to adhere to in order to not get fined or to not get disabled, should we say, in terms of their payment processor. So that compliance driver I think was the initial spark that really lit the fire around the need for improved cybersecurity. And I think since that point, businesses have now developed their enterprise risk structures more around a risk framework that includes cybersecurity rather than simple business financial risk modeling, which was the prior case.

0:07:11.9 Richard Staynings: And as a result, cybersecurity has become much more important. And I think there's one other point there, and that is the fact that you cannot escape the number of cybersecurity attacks that are in the press, more or less every day someone is being hit. According to the research that we at Cylera Labs have actually discovered, two to three hospitals in the United States a week are being hit by ransomware attacks. That's just in the United States. Globally, it's about 1900 a month that are being subjected, being attacked by ransomware today. That's just the hospital sector. If we look at other sectors, it's in the press every week, whether it's Royal Mail and people not being able to send their packages abroad or whether it's another critical infrastructure industry as we saw with pipelines in the US last year or the year before or other businesses.

0:08:04.5 Raghu Nandakumara: From what you've just described, that just in terms of the more recent attacks and the disruption that they're offering. And we've definitely seen that shift in terms of the outcome of these attacks being very much around large scale disruption, often disruption that is touching individual people's lives as opposed to let's say a large sort of enterprise. Do you see this as a shift in terms of the motivation of the attacker that disruption is now the primary motivator versus let's say data exfil and the use of that data later on?  

0:08:38.0 Richard Staynings: So I think we have to understand who really are the perpetrators of cybercrime. And if we look at it in terms of the magnitude of attacks, China actually tops the list. Now, China is a state-sponsored perpetrator of cybercrime. They employ close to a 100,000 people's liberation army, 'cyber warriors' as they're known. But there're PLA units that focus in cyber espionage primarily. They are out to steal not only defense secrets, national secrets from the West in order to fuel the Chinese economy. They're also out there stealing commercial trade secrets of every business in every major sector, whether it's pharmaceuticals so that they can steal the formulations or the research behind the drugs and take a drug to market via their state owned industries in China, or whether it's the theft of F35 designs so that they can build their own stealth fighter stealth bomber. So that's China. That's the first real group. The second group is really the Russians. And they're in two separate groups. Although, I think in the last couple of years we've agreed that there's a lot of collaboration between the two groups, and in fact, they might well be co-joined. Obviously, there's a state aspect to that. The Russian GRU, the Military Intelligence Unit which brought us NotPetya, the single biggest attack, which cost somewhere between $8 and $12 billion in losses and took down a large number of global companies.

0:10:02.7 Richard Staynings: That was actually a mistake that was targeted against the Ukrainians, as many of your listeners will know, that backfired and took down a lot of Russian organizations as well as the rest of the world. And then there's the cybercrime syndicates within Russia which may roll up under the Russian Mafia. Ultimately to Putin that seems to be the head of the snake as it were, if we believe what our intelligence tells us at the moment, that they're inextricably connected and those are monetarily motivated. And I think what's happened is that since the war with Ukraine, a lot of those organized crime syndicates have been working hand in hand with the Kremlin in order to disrupt. And I think we're seeing that as a kind of a slap on the wrist for political actions of the host countries in which organizations are hit. And we can look at the recent Royal Mail attack as an example of that because it coincided with Britain's declaration that it would be providing more weapons and more funding to Ukraine in its war against Russia.

0:11:08.6 Raghu Nandakumara: And it's interesting because... Absolutely seeing that shift that you so eloquently described and that shift towards disruption which seems to be really driving now the increased focus from a number of government and regulatory bodies, that that focus towards resilience. Is that your observation that it's the disruption impact of cyber attacks is really driving the focus on cyber resilience?  

0:11:34.8 Richard Staynings: Yeah, absolutely. I think a lot of senior executives used to question the fact, What is the probability of my organization being attacked? Do I need to spend this money now? Can I spend this money on another pet project in the meantime and put off the cybersecurity investments for another year? Can I take a big fat executive bonus this year knowing that my 5-year term as CEO is up next year anyway and I can walk away with X number of millions of dollars in bonuses for profits or productivity or whatever I'm being measured on in that organization? I think we've now reached the point where it's no longer a question of if I'm gonna be attacked, it's a question of: how many times am I gonna be attacked and what damage is that attack gonna actually result in? And it's not just a question of fines and punitive damages because you were breached and a lot of your protected data is now on the darknet for sale by the crime syndicates, and anyone who wants to buy it, it's a question of the cost of restitution to those individuals in credit monitoring. It's a question of massive class action lawsuits by your customers against your organization.

0:12:50.8 Richard Staynings: It's reputational damage against that organization. In the US, how many people would go and sign up for a Target card, knowing that the Target card breach as part of the attack several years ago? People have long memories. So there's a lot of things that build into that. But there's also, I would say, the single biggest cost factor is the downtime factor. What do you do if your organization is down for weeks or months? Are your customers gonna pick up and move somewhere else? We know that certain industries have very, very fickle customer bases, for example the cell phone industry. If you can't make a call for a week on your cell phone, you're gonna call up, cancel your subscription and switch to another provider. People do that all the time. If there's $5 a month less on their bill. In healthcare, people have a lot less choice as to where they go because of their insurance companies. We're seeing the costs of loss mount up in the healthcare space which is where I obviously focus, to hundreds of millions of dollars of lost revenue due to downtime.

0:13:54.7 Richard Staynings: And I could quote many examples here of hospitals that have seen their revenue dry up as a result of a cyber attack and the length of time it took them to fully restore their systems. So resiliency is absolutely critical. It's about sustaining an attack, knowing that you're gonna have one, sustaining the attack, having business continuity measures in place that are well practiced and incident response measures in place that are well practiced so that you can continue the business, even if it's just on a trickle level. And you can keep your customers relatively satisfied while you clean up and restore. And that requires high levels of resiliency in your architecture, your application, your infrastructure and so much more. And I don't think that we're at that point just yet.

0:14:43.4 Raghu Nandakumara: I don't think I could have asked for sort of a better and more accessible answer than that. And I guess... This is just as a follow up really is, do you now see that in order to drive the change that is required and drive the improvement that is right, we see, let's say in the EU we've got NIST 2, we've got the Cyber Resiliency Act, we've got DORA specifically for financial services to drive better cyber resiliency there. Do you see that these acts and sort of legislation, etc., that goes with it, are gonna have the necessary improvements? Are you hopeful of that?  

0:15:17.2 Richard Staynings: I'm very hopeful and I think with any changes to organizational resiliency, it needs to be a combination of carrot and stick. We've had the stick out there for a long time with GDPR fines, but most organizations are either too small to really need to worry about that or they've been going around with their heads in the sand saying it won't happen to me. And we've seen some pretty massive fines, quite frankly over the last few years for breaches. Right?  

0:15:41.6 Raghu Nandakumara: Yeah. Absolutely.

0:15:46.0 Richard Staynings: The results of inadequate resiliency, inadequate cybersecurity.

0:15:47.7 Raghu Nandakumara: Absolutely. So let's come to healthcare because that's obviously your... and healthcare security, your area of specialization amongst many. You said that you kind of came into healthcare security because you essentially swallowed the NHS textbook but there must be a bit more than that. When you were looking where to specialize, what was it specifically about healthcare, the healthcare sector and the cybersecurity challenges in the healthcare sector that was so appealing?  

0:16:14.8 Richard Staynings: Well, firstly, my father would've liked me to grow up to be a doctor, but I wasn't having any of it. I was more interested in the physical sciences rather than the biological sciences at school and decided that computers were the way of the future. In fact, I was the first person on my Liberal Arts undergraduate degree to actually type his own dissertation on a 4.7 kHz PC, if you can remember that far back, probably before your time, quite frankly. But it was slow and it had these massive floppy discs that my dissertation fitted on. I've had that fascination with IT for a long time. But I think the motivating factors were, one, that I knew the language, I knew the industry from the inside. Quite a lot of my family have worked in the NHS or have worked in other parts of healthcare, in psych services or in other parts of the social fabric of the NHS.

0:17:08.0 Richard Staynings: So I knew a lot of that and I also felt drawn to it because I could relate a lot of the experiences and lessons that I'd learned the hard way running financial services and take those back to healthcare. Financial services is probably 15 or 20 years ahead of the healthcare industry in most organizations because they have to, because they've been a target of cyber crime for so long. The difference is that in financial services, it's immediately apparent if someone's curtailed it from your bank with millions of dollars because the ledgers don't add up anymore. There's a transaction record there and you've had a large sum of money stolen and it's immediately apparent. In healthcare, it's less apparent. So a lot of hospitals have been hit 15, 20 years ago and they're just beginning to find out that they were hit 15 or 20 years ago.

0:18:00.2 Richard Staynings: And it's basically because someone has come in to do a forensic investigation of their systems, after a recent attack and found all these previous attacks that have gone unnoticed. We didn't spend the time and effort and money and didn't have the expertise on our staffs in healthcare to go chase down possible concerns. We didn't have the alerting systems there to let us know when something hinky was going on on the network. When there was anomalous activity, we just assumed that it was normal run of the mill activity. We didn't have the staff to go chase these things down. So I think I was able to translate a lot of the lessons that the financial services and other industries, high tech, for example, that I'd worked in had been able to accomplish and to bring those to healthcare. Hopefully I've made an impact.

0:18:50.0 Raghu Nandakumara: The internet is testament to that. And your content on there, the challenge that you're speaking about, I feel the way you're narrating them at this point, you're just focusing on the IT challenges of the healthcare sector or the cybersecurity challenges as it relates to their IT infrastructure. We haven't even spoken about the medical OT infrastructure yet. Is that correct? Because we're gonna come onto that in a second.

0:19:13.8 Richard Staynings: Yeah, and I've been talking at 50,000 feet here about the whole technology within the healthcare space. But most people don't realize that healthcare IT organizations, the IT group within a hospital for example is only responsible for about 25% of the connected assets. The devices that connect to a typical hospital network. And you can extrapolate that to various percentages across clinics and physician offices and other providers of healthcare services. The vast majority of those devices are now medical devices. They're inert or largely inert devices that fulfill basic functions when called upon. They include everything from your diagnostic systems, X-rays, CT, PET scanners, ultrasounds, these sorts of things through to highly complex radiological treatment systems for radiotherapy and drug treatment systems and chemotherapy which are all connected to the networks by and large, to patient monitoring systems and management systems to the systems that are attached to you when you're in the emergency room that maybe an automatic blood pressure cuff that measures your blood pressure every so many minutes.

0:20:26.3 Richard Staynings: A heart rate monitor, an O2 saturation monitor, which is the little clippy thing that they put on your fingers to measure your oxygenation levels. And there's a multitude of other devices that are now used by a simple ER visit, emergency room visit or emergency department visit, right the way through to intensive care units that have up to 50 medical devices per bed available for patients in need of all kinds of different levels of monitoring treatment. They're all connected to the hospital network. They're often on a separate VLAN which is a routing segmentation, not a security segmentation. That stops some of the multicast traffic from reaching those medical devices which are incredibly fragile. And they also include not just medical devices, they also include a whole heap of building management systems today. Your escalators and elevators or lifts, they're managed by a third-party hundreds of miles away because it's cheaper, better and more sophisticated.

0:21:27.6 Richard Staynings: And there's a little PLC that controls the lifts in a building that raises it to the right floor. It opens the doors, closes the doors, depending on how you've... What button you've pushed. And it does it millions of times throughout its lifecycle. And it only requires minor adjustments for the cables periodically for someone to come out and adjust the cables as they stretch. This is an example of a building management system that is relatively dumb, but it's connected and it could be used as a foothold onto the medical device network. Things like HVAC that control air pressure and air and temperature in our hospitals. We couldn't have survived COVID without HVAC. We couldn't have had negative air pressure rooms for all those pandemic patients without infecting our entire nursing and medical staff throughout our hospital and anyone else that happened to come anywhere near a hospital at the time.

0:22:19.4 Richard Staynings: Critical. CCTV cameras that monitor patients in their rooms to make sure that they're not having a seizure or something like that. And it goes back to a nurse call station to physical security cameras that maybe monitor hallways and doorways. Physical security locks, that physicians and nurses badge into in order to get into secure parts of hospital buildings. And there's so many more if you look at robots, pharmacy robots, Pyxis cabinets, for example, delivery robots, labs, the amount of IoT-connected equipment in hospitals are absolutely staggering. And we do a very, very lousy job of securing these devices partly because they were never designed with security in mind. There was no regulation to say they had to be secure.

0:23:03.6 Richard Staynings: That's about to change as of October 1st, 2023 with the new PATCH Act goes into effect. And new FDA regulations are brought online and that will percolate across other countries to the UK, to Europe, right the way down to the TGA in Australia which mirrors a lot of the FDA rules and regulations, if not most of them, to be honest with you. So that's gonna bring around a change in some of those things, but we still have that massive gap on our networks right now. It's the open back door and we spent a lot of money securing the front doors of hospitals with, we have multi-factor authentication and a whole load of user-management tools for single sign-on and what have you across hospitals. But these are the open back doors. This is the open windows on the back... On the ground floor of the building that anyone can climb through right now. And it's concerning.

0:23:55.4 Raghu Nandakumara: You've provided such a great overview of that plethora of different types of connected devices that let's say a healthcare organization can have on the network. And you sort of refer to the front door and I think about the front door of that traditional IT environment that we understand, it's commoditized, commodity hardware, running commodity software. And while we can obviously do a much better job of securing that, we have good practices and understood practices to do that. On the connected device side on the OT side, just from the variety of manufacturers, the types of devices, etc. Just as a starting point, what would be, as someone who's now very much in that sort of the OT security space, what is good enough from a OT security perspective and what is the holy grail that everyone is after on the OT security or securing OT side?  

0:24:48.4 Richard Staynings: I'll start with your last question first. The holy grail where we're trying to get to is medical devices that are secure by design. They are supported by manufacturers. There are vulnerability assessments conducted periodically against those devices and disclosures made to the community about any vulnerabilities that are found in those devices. And patches are made available very quickly depending on criticality, obviously, for any vulnerabilities found in each of those devices. And that includes a lifecycle, an expected lifespan for devices so that we don't have hospitals, amortizing medical device assets over 30 years when they're only supported by the manufacturer for eight for example, which is often the case today because there is no lifecycle, no lifespan guaranteed by the vendors. And in fact, vendors do a lousy job of supporting devices once they've been sold. So that's really where we need to get to.

0:25:45.6 Richard Staynings: Now to get to that point, we need to adopt a risk-based approach to all of those legacy devices, because medical devices are like plutonium. They have a half-life measured in decades or hundreds of years. They're not retired. If you've got a Windows laptop, you may decide to replace that every two years, partly because it's cheaper to buy a new laptop than it is a new Windows license to upgrade to the new version. And partly because the thing's probably useless after two years of work. Macs have a slightly longer lifespan. But I'm a Mac guy, so I'm gonna say that. Right?  

0:26:17.1 Raghu Nandakumara: Likewise. Likewise.

0:26:18.1 Richard Staynings: Yeah. But medical devices tend to kick around for eight to 20 years in many cases. Certainly the big iron-type systems, X-ray systems. You are not gonna throw out a $25 million X-ray machine because of a vulnerability and because the manufacturer of that X-ray machine has gone out of business or is not making a patch available. So you have to put in place compensating security controls. And those are controls that risk assessors and auditors like HIPAA, like OCR for example, the Office of Civil Rights, part of the Health and Human Services group or other regulatory bodies that audit compliance, will accept as being a compensating security control. Now, to get to those compensating security controls, you need to understand the risk posture of every device type that attaches to your network.

0:27:08.6 Richard Staynings: And right now hospitals are... I was gonna say clueless, but let's just say that there is a large gap between what they think they have on their networks, and what they actually have on their networks. And there've been a number of reports. There was one published over the weekend talking about the number of NHS Trusts, for example, that had very limited knowledge of the inventory of the assets that were on their networks. And this is common across the entire developed world. We don't know what attaches to our networks. We have a spreadsheet, an asset spreadsheet that's kept by clinical engineers or biomed technicians and they update that as new devices come in. But what they're not updating is when firmware's updated on those systems, when applications are updated, when systems are returned to the vendor and RNA-ed and replaced with a new system that may have a different OS on it or a different configuration on it.

0:28:04.2 Richard Staynings: And we really need to get to understand what assets connect to our networks, so we can understand the risks. And this is really what I've been working on for the last five years at Cylera in terms of building a true asset inventory with a high degree of fidelity of what connects to the network, mapping out the ports, protocols, destination IP addresses that each device requires so that we can lock those devices down in a Zero Trust framework. Now this is... And most people when I talk about Zero Trust, are probably saying, "Oh, you're talking about identities?" No, we're talking about the other side of it. There's the ID or the user to data object relationship, and then there's the data object to data asset relationship.

0:28:48.8 Richard Staynings: And it's that latter one that I'm talking about here. In this case, this is medical devices. If we can lock those medical devices down so that they can only communicate to the rest of the medical network on the ports and the protocols to the destination IP addresses that we have explicitly authorized, basically because it's part of its profile, then we can basically drop everything else at the network level to ensure that a radiologist can't listen to Spotify on a PAC system while he is looking or she's looking at images which is a common thing right now. Common compliance concern.

0:29:24.8 Raghu Nandakumara: I didn't wanna interrupt anywhere there because there's so many great things that you're covering and then you landed on Zero Trust. When you think about, let's say security architecture at a healthcare organization/at a hospital, for the security leadership, when does Zero Trust enter that conversation? And is this something now that the healthcare sector is looking at seriously as an approach that they need to take to really radically improve their security foundations?  

0:29:52.0 Richard Staynings: I'd like to think that all healthcare organizations are looking at Zero Trust at all aspects of Zero Trust. But Zero Trust is a journey. It's not something that you can throw a switch and become Zero Trust certified on overnight. It's a mindset, it's a journey, it's a framework about adopting various security controls that follow the Zero Trust principles of trust, but verified - of minimal permissions on any object or any user in order to lock down a network and secure it. It's a step towards more mandatory access control that we have in our military for example, where you are only allowed to access certain data and certain systems based upon your assignments and your level within a military organization. We're not obviously gonna do that in a healthcare organization, but it's about adopting some of those principles to the network.

0:30:46.3 Richard Staynings: I think Zero Trust in the last few years has become more mainstay in business magazines. You'll read about Zero Trust on the Wall Street Journal or the Financial Times or The Guardian or wherever. Whereas you wouldn't find anything of that before five years ago, even though Zero Trust was really... I mean, Forrester published their first paper on the subject back in 2009, I believe. So it's taken a little while to get here. Is it something that senior business executives should be working towards? Absolutely.

0:31:18.7 Raghu Nandakumara: So from your perspective, as you are having those conversations with the cyber professionals in the healthcare sector, what are the questions that you are typically being asked as someone who's been doing this for 30 years, when it is at around Zero Trust adoption? And I know you mentioned Zero Trust as a journey and we need to take incremental steps to improve our security posture, but what is the most common question you are asked when it comes to securing healthcare organizations and the adoption of Zero Trust?  

0:31:45.5 Richard Staynings: I think it depends who you talk to. If you talk to the CEO or the CFO, they say, "What is it gonna cost me?" Because every dollar spent on improved cybersecurity is a dollar that isn't being spent on patient care. We could talk for another hour here just on the efficiencies of certainly the US healthcare system, but I think most healthcare systems around the world are not exactly optimal in terms of how they spend their money on all things. But that's a separate... Really separate discussion there. I think really it's about...

0:32:17.3 Richard Staynings: The success of Zero Trust adoption is really about adopting a cybersecurity culture within the organization. And that culture needs to start at the board of directors, at the CEO level. And it needs to permeate down through every level of the organization. And if you find that the CEO is standing up talking about cybersecurity at his annual briefing or at every executive briefing, where are we in terms of our cybersecurity risk posture? What are we doing about this and that? You'll find that everyone else does the same, takes cybersecurity seriously. That's obviously the starting place. Still, when we talk about Zero Trust, we're talking about different components that need to come together towards that goal of Zero Trust, and those are separate conversations under the umbrella of Zero Trust as it were.

0:33:09.4 Raghu Nandakumara: Completely agree. And the other interesting point that you made was there around, you didn't use these words specifically about return on investment, but you said every dollar that is spent or every pound that is spent on cyber is a pound less spent or a dollar that is not spent on patient services. ROI, etc. it's such a top-of-mind thing at the moment. How does a healthcare organization like RNHS here, that is already strapped for cash, how does it justify the need to spend money on cyber investments? How does it make it an essential budget item?  

0:33:48.2 Richard Staynings: So I think regulation is one way of making that message come across is the fact that you need to be cyber secure. And we saw that, in the last couple of years with adoption of the DSPT, the Data Security Protection Toolkit, which was a big step forward around, trusts having to report to digital around NHS National, I guess, at this point, around the security risks that may be present on their networks as a result of new vulnerability disclosures being eannounced. And a lot of trusts have done a very good job by reporting on DSPT with the adoption of tools like Cylera and others, that can help them with that. There are still many more that have not done so yet. There's another dynamic here around ROI particularly, and that is around, what is the potential cost of loss versus the potential cost of putting in place adequate cybersecurity controls to prevent an attack in the first place?  

0:34:46.9 Richard Staynings: Now, you're not gonna prevent every attack, but you can limit an attack, you can limit the damage, you can minimize the impact to patients and minimize the impact to system downtime as a result of putting in place cybersecurity measures. And there's about a 10X measure on that if we look at most of the statistics around this. So you are gonna spend 10 times more money dealing with a cybersecurity incident, the attack against the Irish health system or the Wizard Spider attack, for example, or the North Korean WannaCry attack against the NHS. The NHS spent a large amount of money remediating end of life computer systems that should have been replaced over the course of 10 years, but weren't putting in place cybersecurity controls and systems and processes that should have been put in place a long time ago, and upgrading the infrastructure.

0:35:39.7 Richard Staynings: It would've been a lot cheaper, to have spent all the money that was involved in dealing with WannaCry and all of the money that's still being spent on a backlog of elective surgery across the UK, on cybersecurity controls in the first place to prevent those types of attacks. Bear in mind that when there's an attack, you're still paying for the cleanup. And you still haven't remediated the hole that perpetrators were able to get through. You still gotta do that anyway.

0:36:08.4 Raghu Nandakumara: It's almost like a self-fulfilling prophecy. You're paying out twice to fix it and also to the cleanup. But, I get the justification of if we don't spend X on this today, the potential cost if when we get breached will be 10X. That forward-looking justification is understandable. Once you've invested in a security capability, let's say like Cylera, how does an organization or even as a vendor, how do you go and essentially show the return on that investment to your stakeholders, the budget owner, so that they understand that now having made that investment, they're getting the returns on it?  

0:36:50.5 Richard Staynings: I think it's difficult for any technology vendor because there's a saying there that you can lead a horse to water, but you can't make it drink. So as technology vendors, we provide the tools, the data, the intelligence to our customers for them to make the appropriate decisions around fixing vulnerabilities around microsegmenting at-risk devices. If a customer doesn't do that, then it's hard for them to realize the investment in the software that has been provided to them. I think we're now getting to the point of partnership really where we're working hand in hand with vendors. And I know many of the vendors that we partner with have that similar relationship with our customers to say, "Look, this is what we need to do. This is the policies, the procedures that we need to put in place," so that it's automated so that they don't have to sit down and make a decision when they're gonna remediate a problem. It's automatically remediated. And this is where we're trying to get to at Cylera in terms of complete orchestration and automation of security remediation.

0:37:56.4 Raghu Nandakumara: What you touched on there is really important because it's essentially, you have almost two parts to this. The first phase is convincing a prospect, convincing an incoming buyer that it is important to spend money on this and buying this capability because it's important to secure the organization. And the second part of it is, once that commitment has been made, is then driving the adoption to put in place the right policies, the right sort of services, etc., the consumption of that capability so that it's actually used. And what we have seen and what we see across a multitude of security capabilities is, I think, going to refute what you said is that you can lead the horse to water but you can't force it to drink. When you look at the future of healthcare and medical device security, what do you see as in the medium and long-term? And I know you've spoken about threats of AI as well, so there's probably some aspect of that. What do you see as upcoming and what is gonna be needed to protect the healthcare organization of the future?  

0:38:57.9 Richard Staynings: You hit a good point there with AI, so I'm glad you brought that up. AI is obviously gonna make a dramatic change to the entire healthcare ecosystem. We have a large amount of IT, a large amount of AI within the IT and IoT networks of hospitals today. We have... Our clinical decision support is based upon machine learning. Our radiological imaging system that now allows us to use low dosage radiation with AI enhancement of those low dose images, rather than bombard patients with radiation that otherwise would have a 2% probability of inducing cancer rather than actually identifying it by an image, which has always been one of the trade-offs of whether you go for a CT scan or not, or some other type, like a PET scan for some other type of imaging.

0:39:43.4 Richard Staynings: So we have those technologies already. We are using extensive amounts of AI and the next generation of tools around precision medicine. That's personalized medicine that is based upon your genome, upon your own lifestyle, your particular conditions, so that instead of a drug having a 2% efficacy, it has a 90% efficacy and can remediate problems for you or things like gene grafting, so that you can graft genomes to prevent the onset of certain types of cancer, for example, which are hereditary in nature. Now all of those technologies are gonna require access to vast amounts of data for their training models.

0:40:29.3 Richard Staynings: So we're not talking terabytes of data here, we're talking millions of terabytes or zettabytes, as they're known. A zettabyte is a billion terabytes, just for your audience. We have approximately 100 zettabytes of medical data that is being used by AI today in order to train models for the next generation of healthcare. Now that is great, but AI models can be corrupted, they can be poisoned. So we need to put in place security around those AI models, those training models, those learning mechanisms. On one side, we also need to put in place privacy mechanisms because I'm sure you don't want your medical data, your genome being up there on the Russian dark net and up for sale. And well... Whereas your genome and my genome might not fetch an awful lot, there are certain people whose genomes would fetch a significant amount of money.

0:41:19.5 Raghu Nandakumara: Mine definitely will be available on the cheap. Yours I'm sure is far more.

0:41:23.2 Richard Staynings: Oh, I don't know about that. So that's one example of AI in the healthcare space. I think the other area is more generic across industry, and that is really around the onset of AI-laden malware, offensive AI, for example. We've seen this in the last... Probably since about 2018, 2019 with certain malwares being AI-enabled so that they can get past our traditional endpoint and perimeter antivirus, perimeter security defenses, advanced malware protection tools, XDRs and all the rest of it because they learn as they go. They're able to pass themselves off as legitimate network traffic and get by our defenses. And we see this same sort of principles played out with fake images and fake videos on the internet. We've all seen deep fakes of famous people saying things that they would never have said or didn't say during their lifetime. We've now got new songs coming out from the Beatles which are AI-enabled which are gonna be hitting the stores very soon. The Beatles latest album with the entire original cast, and it's all AI-enabled.

0:42:35.1 Raghu Nandakumara: What I say to that is that, it's not the Beatles, it's statistically equivalent to a Beatles track, is what I say in response.

0:42:47.7 S2: Right. Exactly. But most people would just say, I went to the Beatles.

0:42:50.9 Richard Staynings: Or this new John Wayne movie that came out in 2023, it's John Wayne. He's in color in this one. Even though it's entirely computer-generated. And certain families of deceased actors have tried to protect the use of AI for their imagery moving forward. But those same types of tools are being used now to attack our organizations. And the only way really around protecting against those offensive AI tools, is using defensive AI tools. So we need to rethink the tools that we have at our disposal so that we can AI-enable those defensive tools to recognize an AI attack and block it immediately.

0:43:30.2 Raghu Nandakumara: I was reading your recent blog post, 'The Rising Thread of Offensive AI.” That's fascinating, the number of different areas that you cover and where AI poses a threat, I assume just by your last answer that in your opinion, the only way to defend against defensive AI is AI-powered defenses and that conventional defenses will not be enough on their own.

0:43:50.3 Richard Staynings: That's correct. We're already finding that AI-enabled attacks are getting past our traditional heuristic-based endpoint detections. For example, even some of the early AI XDR tools that are out there right now, they're able to get past them because they understand how they work. If you are a Russian crime syndicate, you can go out and you can buy every conceivable piece of software under a fake company name, and set it up in your labs, and figure out how to defeat it. And this is what perpetrators are doing, unfortunately. We need smarter tools, newer tools. And unfortunately, that's gonna mean that a lot of vendors are gonna have to rethink their approach, be highly innovative and come up with new AI-based tools. And it also means that end users are gonna have to get rid of and retire a lot of those tools that they've used for the last 5-10 years, and look elsewhere. And maybe the approach, the mix of systems and tools that they have at their disposal, in their toolbox, needs to be adjusted for the reality of 2025 and onwards.

0:44:53.0 Raghu Nandakumara: Yep. Absolutely. So Richard, I know we've had quite a wide ranging conversation and honestly, you've made my job super-easy today. Just by being so open and so generous with your insights that I've barely had to ask a question other than just to sort of say a nod and appreciate it. So, before we sort of wrap up, any final thoughts for our listeners around just any nuggets of advice for security practitioners in the healthcare industry or in other verticals?  

0:45:22.3 Richard Staynings: Yeah, I would say look to the future. Don't look to the past, don't look to the market leaders from five years ago, because obviously that is gonna change and the acceleration of change is going to increase and continue to increase. I would say look for vendors that are gonna partner with you, that are gonna get down in the trenches with you, and help you troubleshoot and figure out how you use those tools to their optimum level of value. And I would also look for tools and vendors that have automation built into them, because we cannot continue to add more tools to our toolbox because the toolbox is already full. I've had many conversations with senior executives over the course of my career who've basically said, "That's great. I hear where you're coming from. I understand why we need this. What two tools can you get rid of before we buy this tool? Which tools does this replace?”

0:46:13.4 Raghu Nandakumara: It's the whole ROI conversation with the different spin.

0:46:16.6 Richard Staynings: It's also the overhead conversation because you don't have enough people, we don't have enough people on our security teams. We're outnumbered at least 5 to 1 against perpetrators. And we need to do a much better job of automating cybersecurity defenses based upon run books and processes and policies that we've all agreed upon in advance so that these systems run themselves.

0:46:41.6 Raghu Nandakumara: Awesome. Richard, thank you so much. For our listeners, if you'd like to go and catch up on more of the Richard's expertise on cybersecurity, his thoughts, go and check out his website cyberthoughts.org And if you're keen to understand more about how Illumio and Cylera are partnering to bring Zero Trust to healthcare organizations, go and check out our joint solutions on illumio.com. Thank you, Richard. Thank you so much for being on The Segment.

0:47:13.6 Richard Staynings: Thank you for having me.

0:47:16.8 Raghu Nandakumara: Thanks for tuning into this week's episode of The Segment. For even more Zero Trust resources, be sure to visit illumio.com. And while you're at it, check out Gartner's newly released 2023 Market Guide for Microsegmentation where Illumio has been proudly listed as a representative vendor. That's all for today. I'm your host, Raghu Nandakumara and we'll be back soon.

‍