Simplifying Cyber
This show features an interactive discussion, expert hosts, and guests focused on solving cyber security and privacy challenges in innovative and creative ways. Our goal is for our audience to learn and discover real, tangible, usable ideas that don't require a huge budget to accomplish. Shows like “How It’s Made” have become popular because they explain complicated or largely unknown things in easy terms. This show brings the human element to cyber security and privacy.
Simplifying Cyber
Third-Party Risk Management in Healthcare
Ever wonder why healthcare organizations are such prime targets for cyberattacks? In this eye-opening conversation with Kelly White, founder of Risk Recon, we uncover the startling reality that healthcare accounts for 37% of all breach events in the last decade.
Kelly's journey from soldering Timex Sinclair computers in the late 70s to founding a pioneering third-party risk management platform offers a fascinating perspective on cybersecurity evolution. He shares how his side project—identifying indicators of vendor cyber health through internet-accessible information—grew from 30,000 lines of weekend code into a successful enterprise now providing crucial breach insights.
The data tells a compelling story: organizations with good cybersecurity hygiene experience breach events at rates four to six times lower than those with poor practices. Yet many companies still chase sophisticated security solutions while neglecting fundamentals like secure remote access, proper network filtering, and effective identity management. As Kelly puts it, "If you don't have those foundations in place, you don't have much to build on."
We explore AI's emerging role in third-party risk management, where it shows tremendous promise in automating questionnaire reviews and helping security professionals focus on meaningful risk treatment rather than administrative tasks. Kelly's advice for security leaders rings especially true: "Don't try to script your career so tightly that you're not open to opportunities," and remember that "growth begins where comfort ends."
Whether you're a healthcare security professional, a CISO working with limited resources, or someone interested in the intersection of risk management and emerging technologies, this conversation offers invaluable insights from someone who's successfully navigated the cybersecurity landscape from practitioner to entrepreneur. Listen now to transform how you think about security fundamentals and third-party risk!
🔗 Connect with Us & Get in Touch
Tune in to Simplifying Cyber wherever you get your podcasts, or watch exclusive video content right here on the channel. Subscribe for hot takes on emerging technologies, tips and tricks for everyone looking to stay secure, and in-depth conversations about complex cybersecurity topics.
No gatekeeping and no BS. We’re here to simplify.
Official Website: www.revealrisk.com
LinkedIn: https://www.linkedin.com/company/reveal-risk
🤘 Stay Secure with Us
If this content helped you understand cybersecurity better, please give it a thumbs up, subscribe to our channel for more expert insights, and hit the notification bell so you don't miss our latest updates.
Reveal Risk delivers cybersecurity results, not just reports.
Thanks for tuning back in to Simplifying Cyber. I'm Aaron Pritz and I'm Cody Rivers. And today we're pleased to be here with Kelly White, and I've known Kelly since my days at a large pharmaceutical company. I think we met at the healthcare ISAC and had great conversations and just have kept having them over the years and regularly. Now, Happy to Kelly finally have you on the show. I can't believe that we've waited this long to do it, but thanks for.
Speaker 3:Yeah, it's a pleasure, as always, to be talking with you. Thanks for the invite.
Speaker 1:Awesome. So today and I know you've focused a lot career will let you kind of tell a little bit of your brief story. But you've had time in financial services on the corporate side and time in consulting to start your career. And then obviously we met as you were supporting with Risk Recon, the pharmaceutical industry. But give us a little bit of your background, how you found your way into cyber and what you want the listeners to know about you.
Speaker 3:Yeah, my story in cyber is pretty long. I started building soldering Timex Sinclair computer together back in the late 70s, Wrote, had to write our own software for video games. I mean copy instructions, not invent our own. So that got me into programming and took that through high school. Was actually an accounting student, an accounting major in college. But I did a research paper on cybersecurity Well, not called cybersecurity at the time, but in the mid-90s and pivoted over towards what was information systems at the time then and was fascinated with it enough in the mid-90s that I decided to make a career out of it. And I had the good fortune of joining up with a great group in Silicon Valley with Ernst Young, where they were standing up a security assessment or what was called at the time attack and penetration testing services and penetration testing services. And yeah, that got me going into eight years of consulting and then 10 years at a financial institution.
Speaker 1:And I guess I knew you when you already had founded Risk Recon and were kind of expanding your marketplace. What prompted you to make the entrepreneurial leap?
Speaker 3:Yeah, I think practitioners have the best view of the problem. I mean, that's an obvious statement, you know, as you're in the trenches solving problems, one of those that was pressing on us at the time and it really started in like 2009, I think, for the bank I was at, the bank brought on Salesforce and that opened the floodgates for like hey, we're going to outsource systems and services as a strategy, because this is so much more efficient and faster than build and operate internally, and so we were dealing with a flood of requests for assessing vendors, and all these vendors wanted the bank, sensitive data and customers. And so you're kind of looking at the questionnaires going like is this really true? Like everybody's passing these questionnaires I mean, I don't even pass my own questionnaire like this and so I was just looking for more data to substantiate what vendors were claiming about their programs, about where there's even basic questions like where do you host your systems, oh?
Speaker 3:yeah, it's all in the internal data center or it's all in this one hosting provider, I'm like is that true? And so I started digging into open source places on the internet to find answers, my own objective answers to substantiate what vendors were saying in questionnaires, and found a treasure trove of information where I developed this kind of saying that you can't do anything on the internet without revealing, at least in some part, the quality of your cybersecurity program. And with that thesis I started writing code to systemically identify the systems companies operate on the internet and mine information out of those to get indicators of what their cyber health was. And that was really for four, four and a half years. That was just a side project, nights and weekends, but it turned into 30,000 lines of code that actually worked.
Speaker 2:Yeah.
Speaker 3:And that that became risk recon.
Speaker 2:Well it's, it's been great. I mean, I think it's got loads and loads of data. I know that, know the software personally, but you no-transcript data shows, again all sourced from Risk Recon.
Speaker 3:We have a team that really does quite a good job of cataloging every publicly reported cybersecurity breach event and as we take that data, we correlate it out to like well, what industries, what's the size of the company, what's the geography, what's their cybersecurity hygiene at the time of the breach event. So it makes for a really fascinating objective insight into breach events and kind of who's getting breached and and you know what are their conditions and so on. And as it turns out, as you say, you know healthcare, and the white paper you're referring to is specifically a study of about 15,000 healthcare organizations in the US and what's the breach events over the last 10 years for them, zooming out 37% of healthcare organizations. Sorry, when you look at all the breach events that have happened in the last 10 years, 37% of those have been of healthcare organizations. Wow.
Speaker 3:And so why is that such a big target? Why healthcare. And so why is that such a big target? Why health care? You know, I think there's a few factors that contribute to that. One is, I think, that threat pressure pivoted over to health care later than it did the financial sector you actually looked at breach events pre-2015, like before this 10-year study.
Speaker 3:But if you look back, starting in 2000 through 2010, those were really more financial focused. There was a pivot towards healthcare and I think part of you know the threat scope. So much Regulations were focused on the financial sector. You got the threat pressure, you got the regulations, you've got budget and you've got they're really working on it. Healthcare really operated without that those motivators, I think for quite a period of time, but it came on fast and when it comes on fast, that creates its own challenges.
Speaker 3:The other thing is that I think that, as complex as the financial services is, from a technology and infrastructure perspective, healthcare is an order of magnitude more complex perspective. Healthcare is an order of magnitude more complex. As I understand it, manufacturers of medical devices that have embedded software can't even update those without getting certain approvals. So it's just a very different dynamic in healthcare, very different attack surface, very challenging, but at the same time, when you look at it now, who needs to be operational 24, seven, 365? If you had to pick one, it would be healthcare. So they have high operational requirements and they have what I think is the most sensitive. If somebody got my financial information. Okay, I can recover from that. But if somebody gets my healthcare information for certain people, that can be really devastating.
Speaker 1:Or shuts down a medical device I mean, I know we've had several covered or toppled. There was a flood of, in my belief, threat actors that they knew that they were going to pay, and that's really what it's all about. Even with ransomware insurance, it isn't going to help you through the operational gaps that have been caused. The report mentioned something about well, an obvious thing that a lot of healthcare companies have dramatically improved their cybersecurity hygiene after the breach, and this happens everywhere. But if you were to coach a hospital CEO, what are some of the things that you've seen, based upon the data, that they should be proactively doing before the breach, even if they've not had their turn yet?
Speaker 3:Yeah, I mean the data consistently shows that good cybersecurity hygiene matters. And if you're an organization that's demonstrating good cybersecurity hygiene, just based on these 22,000 breach, if you look at the 22,000 breach events in our study, and companies with good organizations with good hygiene have, depending on what industry sector you're in, between four and six times lower rate of breach events than those with poor hygiene. So good hygiene four to six times lower frequency of breach events, breach events and this is, you know, across the total study, looking at around 200,000 companies, 20,000 breach events. Who's getting breached? Those with poor hygiene? Those with poor hygiene four to six times higher than those with good.
Speaker 3:And so what's behind that? Like, you're looking at things like remote access. You know secure remote access. What's the quality of the remote access? The presence of unsafe network services. Like, do you have Telnet or database listeners out on the internet that are easy attack vectors, software patching and then the one we can't measure so well from Risk Recon's perspective, but of course it comes down to people.
Speaker 3:So many of these attacks start with phishing. But companies with good hygiene, you're taking care of the basics. And again, if you look at ransomware attacks, just trace it back. There's enough incident reports out there that you can say it's phishing, it's vulnerable software, it's unsafe network services, it's unsafe remote access. Take care of those things. Those are hygiene things and that's not trivial to do in a large organization. You got to really have and you have a front row seat to this in your consulting practices to say, hey, do a good job of managing software vulnerabilities or really keep unsafe network services from being exposed from the internet. That sounds like those are very short statements, but having your IT and your organization operating in a way that consistently does that that's not trivial, so it takes organizational discipline. There's a lot behind it.
Speaker 1:And it's not the sexy work either, because sometimes it's fundamentally a real drudge to get through. But I guess if you were back, so if you went back to a CISO role in healthcare today and you had a limited budget, which most healthcare organizations don't have, a blank check and even if they have all the money, they need the change, the cost of change and people, organizational change. Management is probably the biggest hurdle that we see. But where are you spending your money and your time in the first 30, 60, 90 days?
Speaker 3:I'd say secure remote access and identity and access management. I might be wrong, but you can't be wrong by starting there. There might be some other equal opportunities, but you know a lot of breach events are not. They're not zero days, they're really kind of a failure in identity management or an insecure remote access type of scenario that's really going to come and get you. If you don't have those foundations in place, you don't have much to build on.
Speaker 1:Yeah, yeah, and sometimes you see companies wanting to rush for the sexy project. You know a great threat intelligence tool or you know an XMDR capability that will tell you the alerts. But it's almost like if you don't have the foundation poured and stabilized and you're putting the third floor watchtower on, it's really tough to really you're going to be in a defensive, reactive posture regardless.
Speaker 2:Yeah, one thing I think about too you have like hygiene and like third party risk. Obviously that's a big part of risk recon. But we get a question I get this question probably once, twice, you know a week is integrating AI into, specifically, third-party? And so, as someone who's built a successful company and sold it within third-party risk and everything, what are your thoughts where I think, if I'm looking to make a few bets on AI within my third-party risk program, where are you saying go big and where are you saying to practice a little prudence and see, kind of, how things fall out first?
Speaker 3:Yeah, you know, I think the application of AI and maybe this is applicable more broadly is, as you look at, automating processes that are very routine and really don't require the work of a professional but are time consuming, and so questionnaires are straight off the top.
Speaker 3:Ais there's a number of solutions out there. Risk Recon has one, but you can take a questionnaire of your whatever one you're using, and you can take a body of documents from your suppliers and, rather than asking them to answer questionnaires, you just say, hey, give me the docs you have about your program. The AI can read it, answer the questions, tie it together, present it to you in a way that says, hey, with this degree of confidence, they have this in their program, these things in their program. Hey, here's some areas where we just can't get it out of the docs or our AI just doesn't get us to a confidence level. So you could whittle down that questionnaire process from weeks to hours, for example. So that's good efficiency. And what you're really doing there is you're looking for opportunities for your professionals to spend time on higher value problems, and that's really what I think we need in third-party risk management, because the supply chains are so complex and they're embedded with so much risk, still today are not treating it as they could.
Speaker 2:Yeah.
Speaker 3:Just because of budget limitations and realities. But if you can free up those, if you can pinpoint, start pinpointing better where risk exists automatically. And you know that's what Risk Recon does. Right, risk Recon it's not questionnaire-centric, but you know we're surfacing direct evidence about the quality of their software, patching and network filtering and malware and all these different things. But what all of these things are doing is and AI included is pinpointing where risk exists, where there's evidence anyway higher probability of risk existing. And then your professionals have the time, with that increased automation, with AI, with risk recon, to spend time with those suppliers and internally having the conversations with the business owners Should we transfer risk, should we work with them on remediating it and so on, treating the risk. And so that's where I think the opportunity lies today and I think that that's where you know, as I look on the horizon, it's getting better at, you know, packaging, collecting all of this data and structuring it away to enable risk professionals to understand and act quickly.
Speaker 1:Yep, I think, with so many vendors and so many potential rabbit holes that you can go down, that focus element is so critical.
Speaker 1:Yep, you know, because even with companies that have hundreds or thousands of vendors, like man, if you could take the top 10 and go really deep on those and then still have coverage on the others, but go deep in a specific areas with the limited practitioners that you have allocated, you can actually reduce more risk. And I want to pick on or amplify one thing that you mentioned on risk treatment, because we still see today a lot of third party risk programs that have all the tools and have lots of things in place, but they don't actively have a risk treatment program or approach, they're not tracking findings, they're not holding vendors accountable, so it literally turns into a paper dragon exercise. And with AI coming into it, we're now seeing AIs talking to AIs and fabricating results on both sides. So I think really, if we're going to improve in this place, spot on with your advice, we've got to focus on having AI, narrow our focus, have the smart practitioners, go deeper in limited areas and then really get findings management right, because you can't reduce risk if you don't treat risk.
Speaker 2:Yeah, yeah, One thing I think about too. So I was a lot of great stuff, Kelly. You've got a long career of success and some great things. You, you get a phone call that you get to make to Kelly, Kelly White, 20, 25 years ago.
Speaker 3:Yeah.
Speaker 2:You know two minute phone call with like three bullet point tips. What are you? What are you? What are you saying?
Speaker 3:The first thing I'm going to say is just give. I think the best things in your career are going to come Number one. You're going to do really good work in your assignments, do you know for your employer, be a really good employee and really lean into it. The things that you give outside of those work hours, though, are going to be where you really where really things take off, and take off in ways that you just can't expect, whether that's additional learning and study, developing your own research, publishing papers. It could be working with working groups, you know, volunteering, doing volunteer work with nonprofits who need help with cybersecurity, working with a conference.
Speaker 3:Whatever you give outside will return to you greater than what you gave, and I'd say that's where that's the first thing. I would say it's a bit of an act of faith, and if you're, you know you got to do it authentically, not looking, doing it with the intent of getting something out of it. That's not the way to do this. It's really a genuine thing you're giving with the right motives. That's the first thing. The second thing I'd say, and probably the last, is like hey, this is going to be a grand adventure and it's going to take you places you'd never expect. This is going to be a grand adventure and it's going to take you places you'd never expect. So don't try to script it so tightly that you're not open to the opportunities that are going to come your way. And when those opportunities do come your way, err on the side of taking a risk yourself.
Speaker 1:Getting out of your comfort zone. What do you always repeat?
Speaker 2:Growth begins where comfort ends.
Speaker 3:I like that. So there's three that I really believe in.
Speaker 2:Yeah, that's excellent. That's excellent and I say you know beyond the third party risk and the software and had a pleasure meeting you and reading your white paper. Let's give our listeners a little bit. What's either. A fun hobby, kelly White, outside of cybersecurity? So musician, play an instrument. Wild X-game athlete behind the scenes Getting warmer.
Speaker 3:I do a lot of dirt biking in the mountains and the deserts of Utah. I'm blessed to live in a state where it's like 90, I don't know 70% of the land is public land and so you could really venture out for thousands of miles. But I've got a group of friends. The group varies from four to a dozen depending on what we're doing, but every week Thursdayursday late afternoon into the evening we're out in the mountains on our dirt bikes oh man, that's awesome.
Speaker 2:You got the whole guard with the helmet, the pads and everything. Man got the cool boots neck brace.
Speaker 3:I guess you call the sport hard enduro, and it's a hoot and then in the winter it's all about skiing, which? Yeah uh, aaron, aaron knows all about and now I frequent.
Speaker 1:Utah is a good, easy location to fly in direct from indy. Be out to the slips in 30 minutes. You can see that first day. Lose three hours or gain three hours coming over.
Speaker 2:It's great but last thing I'll say what's, what's your third party risk process when you bring on some new gear? I mean, how deep are you going? Are you doing the scan, the website? Are you looking at customer reviews or give us your third-party risk process?
Speaker 3:You know I pay attention. So there's a person named Graham Jarvis who's the king of hard enduro and he's semi-retired now, I mean he's in his mid-40s. But I pay attention to people like that. I watch their videos, study them, I've met up with them, so I definitely want endorsements.
Speaker 2:That's excellent. That's excellent.
Speaker 1:Cool. Well, Kelly, thanks for coming on the show today. We really enjoyed this conversation and always good to talk with you. Thanks again.
Speaker 2:Yeah, thank you. Thanks, kelly.
