Shawn Henry, President of CrowdStrike Services & Chief Security Officer at CrowdStrike, joins Phoebe Yang of Amazon Web Services (AWS) to discuss cyber risk assessment and business-level implementation of security strategies in healthcare and beyond. CrowdStrike, an Austin-based cybersecurity technology company, offers the first cloud-native security platform that includes threat intelligence and incident response services for organizations in healthcare and other industries.
This Executive Conversation is a follow up to the previous conversation, which can be found here: Link
Phoebe Yang: I’ve heard you talk about your risk calculus formula. Can you explain this formula and how it can inform organizations regarding the potential consequences of their risk?
Shawn Henry: To assess risk, I examine threats, vulnerabilities, and consequences. There are certainly a lot of other variables that can be factored in, but those are the three I focus on when it comes to cybersecurity.
I ask different questions to assess risk in each category:
- Threats—Who are the actors? Who is looking to target our environment—nation-states, organized crime groups, hacktivist groups, insiders? What are their objectives?
- Vulnerabilities—What do we have in our environment that might be exploited? How can threat actors gain access to our enclaves and wreak havoc?
- Consequences—What is the impact if those threat actors gain access and deploy malware? Is there a loss of personally identifiable information? Are repercussions destructive or simply inconvenient?
Once you evaluate risk based on those three factors, you can begin to prioritize what’s important: Where do we need to focus resources? What should we be most concerned about as an organization? What are the best ways for us to invest to attempt to minimize that risk?
I tell people, particularly business owners, senior executives and boards of directors, that cybersecurity is a business decision like anything else. If you’re opening a new location, launching a new product line, or making an acquisition, there are variables assessed that factor into your decision process. Cybersecurity is the same. It’s critical that an investment be risk-based; otherwise, you’re likely to either underinvest or overinvest. That risk calculus is an important place to start.
Phoebe Yang: I’ve noticed that many organizations focus on recovery, but to have a more holistic business approach, how can organizations plan for prevention, identification, and detection on the front end before focusing on recovery?
Shawn Henry: Your customers, investors, and employees expect that you are protecting their data. They expect you are maintaining an environment that can support the needs of the business, and that you are being prudent. You don’t want to be figuring out what happened at the back end—at that point, it’s too late.
A holistic approach starts with proactively considering who might target your organization, how they would do it, and why. Then there are many different solutions to help organizations. One is threat hunting—looking at anomalous activity in an environment. If you can identify unusual activity, you can mitigate it before an issue occurs.
Phoebe Yang: You’ve mentioned that you speak to a lot of boards and I’ve had the pleasure of serving on a number of large healthcare boards, and security is always a concern. How do you encourage Chief Information Security Officers (CISOs) to interact with their boards to maintain a strong information flow while avoiding unnecessarily technical details when it comes to their security posture?
Shawn Henry: Everything a company does today is built in the electronic environment. Whether it’s in the cloud or on-premises, it is digital. Companies that fail to recognize and protect those assets are putting their organizations at grave risk.
I talk to boards every day, and I start by telling them they need to embrace the CISO so the CISO feels empowered to speak candidly behind closed doors. Unfortunately, I’ve seen some directors who want to find something wrong with every security approach; to me, that is a bad strategy. We all want to do what’s right for the company – create the right products in the right environment and deliver our products with integrity and honesty. To accomplish that, there needs to be an open, transparent discussion.
I also try to set expectations for the board. The expectation can’t be, “we’re never going to have an incident.” If that’s the bar, then you’re going to fail. There will always be incidents. The success of an organization is not based on stopping every incident; that’s just unrealistic. Instead, it’s about managing the incident successfully so you can mitigate the risk, consequences, and impact. You can do that by having the right philosophies and policies in place.
Let’s use health care as an analogy. The goal can’t be “never get sick.” That’s built to fail because you’re going to get sick. But you can eat healthy, exercise, and refrain from excessive drinking and smoking. If you take these steps, you will generally be relatively healthy. And further, you can be proactive by getting diagnostic tests and regularly visiting your health practitioner to detect issues in advance before they become major concerns.
Phoebe Yang: We know that catastrophic events occur, but responsible boards should be planning for these events by being more proactive and asking the right questions of their operational leaders. What kinds of questions should a board member be asking to ensure they have the right security strategy?
Shawn Henry: I believe the leader sets the pace for the rest of the pack. The board is setting an environment of security by demonstrating their concern. There are specific questions you can ask to demonstrate the board is paying attention. The types of questions you might ask a CISO are similar to what we’ve discussed here: Who is likely to target us? Why are they going to target us? How are they going to target us? Where is our most sensitive data? How is it being protected? Do we have the right people patching our systems? Who are our vendors, and what type of relationships do we have with them? It’s about demonstrating that security is important to the board and that they understand the enterprise risk. When the board does that, it also inspires the CISO by showing interest in what they do.
Phoebe Yang: How should boards be prioritizing security risk?
Shawn Henry: This question gets into oversight versus operations. I think the board is unlikely to handle security prioritization. Instead, it would be the C-suite, perhaps the CISO or Chief Risk Officer (CRO). Key takeaways would then be transmitted to committees such as the audit or risk committee, depending on how the board is structured.
But when you’re thinking about prioritization, it comes back to risk calculus and identifying the most important issues. For example, a given organization’s primary concern might be protection of personally identifiable information or ensuring continuity of business operations. After identifying the priorities, organizations need to do a holistic look at all business processes and make changes to increase safety.
For example, if you’re a board member of a healthcare organization, you can participate in changing business processes to reduce risk and decrease liability. If you’re being targeted by an organized crime group interested in obtaining personally identifiable information (PII), asking the right questions will help you drill down on solving the problem. How much PII are we maintaining? Do we have a business need to keep this information? Can we delete or eliminate it and therefore remove the vulnerability?
Phoebe Yang: Switching gears a bit, what value do you see in external security components such as outside legal counsel, cyber insurance, or incident response firms?
Shawn Henry: Cybersecurity is a team sport, and having diverse partners in this space is good because they bring different areas of expertise. Staying with our healthcare example, most experts, doctors, and technicians focus on keeping people healthy rather than protecting the data infrastructure. Having a retainer with an incident response firm allows them to maintain that focus because help is just a phone call away if something does go wrong. Negotiating contracts is the last thing you want to be doing when there is an incident. That could take weeks! And you don’t have weeks: you have days or even hours. You need to have the statement of work prepared and the NDAs already in place.
Similarly, it’s strategic to establish relationships with an outside counsel that does this type of work. A communications firm can help you shape critical communications with internal stakeholders, regulators, patients, customers, or partners. You may also want to talk to law enforcement in advance. The FBI and DHS have outreach programs with the private sector, and organizations can collect valuable intelligence by interfacing with these agencies. Again, it’s best to establish a connection well before an incident—have their phone number handy or schedule a quarterly meeting so you get an immediate response when something happens. These relationships make an organization fundamentally stronger and more resilient.
Phoebe Yang: Should healthcare organizations be adopting the National Institution of Standards and Technology (NIST) security framework?
Shawn Henry: NIST is best treated as a groundwork—it provides a good foundation, but much more needs to be built in. Much of what the NIST talks about regarding encryption, patching, and risk and identity access management is pretty basic in my opinion. For organizations just starting a cybersecurity program, this might be a good place for them to start because it provides a fundamental security philosophy and recommendations for implementation. But my concern is that organizations will say, “We’ve applied everything NIST says,” and then assume they are secure. True security requires organizations to be proactive and invest time, energy, and resources into making themselves resilient according to their unique needs and risks. True security is implementing a strategy that includes iterative security practices and scales as organizations grow and adversary activity evolves.
I don’t see an overarching framework that is ideal for every sector or organization. Some companies process credit cards and have Payment Card Industry (PCI) standards, while healthcare companies are much more highly regulated and have set requirements they must abide by. So, there is not a comprehensive, overarching strategy. However, there are best security practices, and we’ve touched on some of those here—zero trust, identity management, threat hunting, and asset identification. Asset management is another critical piece. For many companies, this is where cloud technology is helpful, because it provides much greater visibility and scalability.
Phoebe Yang: If you were advising a healthcare organization dealing with financial challenges, how would you advise that organization to take hold of its security posture proactively in a cost-effective but strategic way?
Shawn Henry: This is where you see overlap between the roles of the CIO and the CISO. The CIO is responsible for choosing the technologies and capabilities that will support and protect the business, and the CISO is responsible for using those technologies effectively and efficiently. One of the areas where we see companies getting victimized is through adversaries exploiting weaknesses in legacy equipment that is not supported from a security perspective. But some of these pieces of equipment, especially for hospitals, might cost millions of dollars; you can’t go to your local store and get a new one off the shelf. So, it’s a balance.
Companies need to identify where they can invest to improve their business overall. Increasing the security capabilities of an organization is one way to make it better. Protecting data from being lost or stolen ensures the organization is successful going forward. Every organization will be a little different because there are so many variables, and no two organizations are exactly alike. I would encourage business leaders as a holistic group to look across their enterprise and work collaboratively to improve their core business functions.
Shawn Henry serves as President of CrowdStrike Services and Chief Security Officer of CrowdStrike, leading a world-class team of cybersecurity professionals in investigating and mitigating targeted attacks on corporate and government networks globally. Under his leadership, CrowdStrike engages in significant proactive and incident response operations across every major commercial sector and critical infrastructure, protecting organizations’ and governments’ sensitive data and networks around the world. Henry’s work includes educating boards of directors and executives of key companies on critical proactive security measures, governance, and corporate readiness in the event of a breach. He also oversees all security aspects of global CrowdStrike facilities, personnel, executive protection, and corporate events.