Enterprise security from healthcare to GE: accountability, strategy, and value creation with Bob Chaput

Secure Talk - Bob Chaput 

Justin Beals:  Hello everyone, and welcome to SecureTalk. This is your host, Justin Beals. This week, we have a great guest with us, and we're going to talk a little bit about developing cyber risk management practice. Thanks Before we dive into it, I was stunned in some ways in working in security as I have with a critical correlation that happened for me in the past with the work that is done around product, especially technology product.

I spent much of my career building all varieties of a technology product, usually taking many years of both development and maintenance, building technology teams to build that product and designing the core value that would be in the product. One critical factor in all of those particular projects to deliver technical work had to do with the scope of the product we were building, as a matter of fact, as I built some product that failed miserably in business and some product that was quite successful in business, what I realized deeply is that the scope, the vision, the way that we think about what matters when we build product was the foundational step in building the best product possible, the most successful product possible.

When I began looking at security and security practices, both within my technology teams and for my products, what I realized was that the scope of the security that we practice is critical to its success as well. And that the variation in security practice could be wild, even for companies that look very similar or organizations that store similar data, but the way they use it, the way they work with it, the relationship they want with their customers and the relationship they want with their community changes dramatically the type of security that they might implement.

And in our quest at Strike Graph to build the best possible security posture management tools. What we realized was that flexibility is really important. And when you get an issue of flexibility, you need to find the right scope to that security posture to be able to executed effectively to be able to monitor it efficiently and to be able to validate it over time. And that's why I really enjoyed talking with our guests this week. 

Bob Chaput is the author of “Enterprise Cyber Risk Management as a Value Creator”. It is a great way of considering how we build important cyber risk management tools, what our security is and how we communicate that across our organization.

He is the founder, former CEO and executive chair of Clearwater Security, an award winning provider of managed security services, cyber risk management, and compliance solutions. Bob has worked with board members and C suite executives at dozens of organizations, including Fortune 100 organizations, federal and state government agencies.

So, Bob dedicates his time today to educating industry leaders about the importance of cyber risk management and the changing regulatory environment through articles, presentations, teaching, YouTube channel, and webinars. In addition to his two books, he was a contributing author to two books, Walter Kluwer's Health Law and Compliance Update and the American Society for Healthcare Risk Management's Healthcare Risk Management Fundamentals.

His insights for quality and cyber risk management have also been published in dozens of periodicals, including Modern Healthcare, CISO Magazine, the Healthcare Compliance Association's Compliance Today, Health IT Security, Healthcare Info Security, and the Wall Street Journal Pro Cybersecurity. Bob has been recognized as a 2024 Cybercrime Magazine Cybersecurity Pundit Industry Expert.

Obviously, a deep resume and experience in developing robust, critical, and effective cybersecurity practices. Please join me in welcoming Bob Chaput to the podcast today. 

                                                                     —---

Justin Beals:  Hi, everybody. And welcome back to StrikeGraph. We're very excited to have you join us today. And we have a great guest, Bob Chaput is joining us today.

He is a deeply experienced CISO and security leader for a number of organizations, especially in the healthcare space. And we're going to be talking with him and his book, cyber risk management as a value creator. Bob, thanks for joining us today on Secure Talk.

Bob Chaput: Thanks very much, Justin. Really appreciate the opportunity. 

Justin Beals: Excellent. Well, Bob, we always love a little bit of an origin story, and we certainly have listeners that are young in career in the security space, and they like hearing about how our guests met the achievements in their careers that they did.

Could you tell us a little bit about how you got started in security and your expertise in the healthcare space? 

Bob Chaput: Sure. It goes back, speaking of your young folks, many of them may not have been alive at this point in time, but it goes far as back as  the mid 1980s. Actually, I was working in GE.

I was in a large data center. GE had developed its own internal disaster recovery facility. At that point in life, we all in security talk about the triad confidentiality, integrity, and availability. The big issue of the day was availability. We were worrying about chemical spills and airplanes crashing into data centers and things like that.

After GE built its own disaster recovery facility, they decided to try to leverage that opportunity and commercialize it. So, it was at that point in time when I learned  confidentiality, integrity, and availability.  From there, I've had a number of roles  over the course of my career information technology, obviously, but privacy, security and compliance as well,  as an example, with,  in addition to GE, when I went to work for Johnson and Johnson in the mid-1990s, there was not an information security program.

So I established the program and hired the first CISO, at that point in time.  Fast forwarding a little bit probably in the mid-2000s, I worked for a large healthcare company in Nashville. And, establish what  no one was calling at the time and enterprise cyber risk management program. This was a billion-dollar healthcare company.

I've spent a lot of time in healthcare, so I've had great opportunities over the course of my career in operations as an executive; I've been an entrepreneur a number of times,  most recently an author and, consider myself in the fourth quarter of my career,  I'm not quite wearing the tweed jacket with the patch patches on the elbow, but I am doing some work in teaching, today, as well, working with, University of Texas at Austin, developing a health care enterprise cyber risk management program. So I've had a lot of great opportunities and at this point in time, focusing on giving something back. 

Justin Beals: Wow. That's excellent. It's got to feel good in that fourth quarter. You know,  kind of bringing that expertise back and certainly, you're scaling, I think,  a deep set of experiences in the book.

I really enjoyed reading it. I'm grateful that you produced it. The title right off the bat was something that appealed to me,  which is the concept of enterprise risk management as a value creator. Now, in this would have been the nineties, I worked for British Telecom. It was one of my first computer science gigs, and my, I did have a security role, and they were like, Hey, if we didn't get hacked this year, Justin,  then we're gonna probably get less budget.

And if we did, then we're going to get more budget. And I just always thought that wasn't great value creation. Maybe you could tell us a little bit about your inspiration here and especially adding that value creation concept to the book. 

Bob Chaput: Yes. I have to say, it also is something that goes back to the mid 1980s.

At that point in time, I didn't know I was at the beginning of what today I'll call is a parallel track. The famous Michael Porter at Harvard wrote a paper, turned out to be a pretty seminal paper, whose title was along the lines of using information for competitive advantage. And, you know, at that point,  IT, we didn't even call it IT.

We called it EDP. Electronic Data Processing was relegated to doing a payroll and accounts payable, accounts receivable, and all these, batch processing jobs that were done in the basement, you know, sort of in the dimly lit rooms, all of a sudden Porter comes up with this idea, wait a minute, we might be able to leverage all this information we have to create competitive advantage.

I feel we're on a very parallel track in the area of information security or cybersecurity at this point. we are always, of course, have primarily focused on playing defense and similar to what Porter did when he said, well, let's start thinking about investing more and investing in ways that's going to create business value and potentially competitive advantage.

I think organizations need to think along those same lines today. It's a little bit heretical, especially given the fact that so many organizations are on the losing end of the ongoing battle with the various threat sources that are out there, whether they are the very ever popular adversarial attacker.

To what we're experiencing right now is you and I are recording this, the aftermath of horrific environmental threats and destruction that are going on. And so I stood back and I thought, well, if that, if that  series of events could create an evolution broadly in information technology, The same thing has to happen in the world of information security or cyber security.

So let's not only play defense, and don't get me wrong, that's table stakes, but let's also begin to think about how we can find areas where In which we are doing terrific work, we're excelling, and we can therefore make investments to further those initiatives to create more business value.

In other words, there are strengths in our security programs that we can leverage to create business value. 

Justin Beals: Well, I agree completely. And what I love about the idea that security can be a value creator is that you know, you're building a stronger business. If you're focused on security, you have resilience.

You know, you're going to be around through the ups and downs of, you know, economy or natural disaster or, you know, an aggressor, a threat  attempting to cause an issue, you know, one of the ways that we see a lot of companies going from a value creation perspective is generating trust in B to B relationships and the biggest levers lately are some of these standards and compliance outcomes that they're going for.

How do you think about that change, like broadly in the security marketplace? Are you, are you glad that we're a little more standards driven in our work? 

Bob Chaput: Well, the mosaic of regulations that are out there today is a little bit crazy-making. You talked about some experience you've had at British Telecom at a certain point in time.

You know the global environment. And our approach here in the U S when it comes to security and privacy as well has been very sectoral. There's a set of initiatives and regulations in the healthcare  sector. There are regulations in financial services or regulations in utilities and banking, transportation, etcetera.

Whereas a more global approach as is more uniform and independent or agnostic of the industry sector. So first and foremost, I wish we. Would do a lot more to deconflict and rationalize and reconcile the regulations that we have, which are now coming at us at a federal level, at a state level, at even a local level in many cases.

So. It's the regulatory environment is a little bit crazy making I appreciate the efforts and the intent, but I think what we're missing in the regulations largely when it comes to privacy and security is accountability. And I'll, I'll cite that in the following way or provide an example of what I mean.

Two examples, actually.  One goes  way back to my days in the mid-1980s when we built the disaster recovery facility for GE and then commercialized it. One of the things that enabled us to commercialize it was at that point in time, The Office of the Comptroller of the Currency,  issued a banking circular that said very explicitly, boards of directors will be responsible, personally responsible for a business continuity plan.

Fast forward the tape, roughly 20 years, and we had Sarbanes Oxley, section 302 of the which said the CEO and the CFO are personally responsible each quarter for signing off on the controls that are assuring the integrity of the financial information that's being put forth. Those regulations had some teeth because it caused the executive team and the board members to come to the table and get serious about this subject.

You cited, and I, my books reflect it, a lot of my experience has been in healthcare. It has been notwithstanding the fact that the HIPAA regulates, the HIPAA law was signed into effect in 1996, the Kennedy Kassembaum Act. Privacy rule in 2001, the security rule in 2003. Little has been done to comply with those regulations.

There is now breaking news. Senator Wyden and Warner have recently dropped a bill that is called the Health Information Systems and Security Act, which would place, among other things, a requirement. On the CEO and the CISO to sign off on. Now this is going to be years away, and it obviously has to go through a legislative and negotiating process.

But we're now at the point where we're beginning to see some teeth put into it. So regulations, regulations, but really what I would like to see is more accountability built into these regulations. 

Justin Beals: I love this because, certainly, I've worked at a lot of early-stage startups in my career. And I think. We're just so driven to get the product out the door. And there's a lot of expectations placed on the early-stage startups where we will disrupt in a way, like we will look for disruption, that we can help build our business and differentiate it. But I, I am always worried about the ethics of what we do because we're so driven on that singular outcome of growth that even they're, they're not small businesses, but very large startups, you know, can have a deleterious effect.

On, you know, our community at large, lots of times because there is no understanding of the ethics with which they need to behave until they're publicly traded. And by that time, they're so massive, you know, that it's well, A lot of the bad behavior is baked in. So, Bob, you know, one question I had for you is, I, in my work in tech, we throw around the word enterprise a lot. I actually use it in a lot of different situations. I can be talking about the scale of a business. I can talk about the grade of technology that we are building. One thing that I think would be helpful is do you see a big difference between enterprise cyber risk management as a practice?

It's development and implementation and companies of different sizes. 

Bob Chaput:  I do. I think there's some core requirements that really transcend the size of the organization. But when I think about enterprise cyber risk management. I think about it in a more strategic context that I do cybersecurity. If I may contrast those two,  when I think about enterprise cyber risk management, I think about some really core capabilities at a strategic level that organizations need to build.

And  I believe that because. We are still losing the battle overall because organizations have not started to treat enterprise cyber risk management. As a transformational program, too many are thinking about a cybersecurity project, right? And we all know projects have start dates and end dates, and you have a cake and coffee, and everybody celebrates in your time.

That's not what we're dealing with here. And so when I think about critical elements of an enterprise cyber risk management program, I think about capabilities like governance. Who's making what decisions, how and when using what data and facts, the classic, people process technology dimensions, the right number of people with the right skillset processes, policies, procedures, practices, technology, like any aspect of any business, there are benefits that can be derived from using technology.

In this space, it might be a GRC solution, as an example. And then last but not least, um, I'll talk about, I talk about engagement. So the classic core requirements, when people talk about transformation, people process technology, I bookend them with governance at the front end and engagement at the back end.

And what I need mean by engagement is. The ever classic, this is not an IT problem. We are way behind that, beyond that. We are now dealing with issues that are exist as existential to many organizations. And the engagement part of it is who owns the information assets in a business, whether it's a large business, your point of your question or a small business, and who's responsible for the risks.

Associated with those information assets. And by my way of thinking, by my training, my experience. What we do is, we place that responsibility on the hands, in the hands of the functional leaders, in the hands of the process owners, in the hands of the business leaders, not the IT organization. 

Justin Beals: I love where you're going with this.

You know, It's interesting my work around security and rolling out a security program. There's a couple of things that I tell folks. One is that think about security in the broadest possible definition of the word. It's not just like database encryption, but it's  operational excellence. And I think you're highlighting that that when we do an operational excellence thing, it's a horizontal practice in the business, and everyone has a part to play.We don't engage them very often. Like too often it was the CISO being in charge and driving down. 

Bob Chaput: Well, I think when it's left in that, and again, no disrespect to sure hardworking, conscientious, well, well-intentioned CIOs and CISOs and, and chief risk officers, compliance officers to come to work every day to do their best. But what they, what they're lacking today is a fair amount of engagement by the executive team and the board and, therefore, the associated air cover.

The consequence or the upshot of which is this subject matter is treated as technical, tactical, and goodness knows, there's a lot of spot welding and firefighting going on, as opposed to it being strategic and tactical oriented and much more architectural than it turns out to be today. 

Justin Beals: Yeah., I completely agree that this needs to be strategic work. Like, like we have a strategy around our finances and where we're going and what resources we have there and what we're going to use it for from an outcome perspective in your book, which I quite loved.

One of the ideas is that, you know, you want organizations to complete a risk and opportunity assessment that I think that can help define the strategic approach. Can you talk to us a little bit about how you, um, execute or think about that activity? 

Bob Chaput: Absolutely. It all starts with how am I going to make informed, intelligent decisions about expenditures in the security area?  until or unless I understand what my unique exposures are and too often, and this is where is the contrast between a cybersecurity project and an enterprise cyber risk management program. Too often, those decisions are made on the basis of today's threat du jour, today's vulnerability du jour, today's most popular control checklist.

As compared to what are the issues that are unique to me. So this whole idea of a risk and opportunity assessment, let me focus on risk for a moment, managing the downside. The whole idea is to go through a systematic process where you really flesh out and understand what are the exposures that you have.

One of the issues you talked a moment ago about having a financial plan and strategy. It's interesting if I may do a little bit of a sidebar, most members of the board, even though they're not former CFOs or former auditors, they understand some fundamental concepts about a profit and loss statement about a balance sheet, about a cash flow statement and things like that in our world today.

It's a mess in terms of basic terms, like an asset, a threat, a vulnerability and what constitutes risk. And if you pick up many trade journals today, you'll almost see the words. You do have to see the words, threat and vulnerability and risk used interchangeably. And they're not the same thing. Well, risk analysis forces people to get on the same sheet of paper.

And it's a process at a very high level by which you understand. Your information assets. What are all of those systems and data and devices that are supporting your business processes? Once you inventory all those assets, you then systematically go through and understand what are all the reasonably anticipated threats, all the reasonably anticipated vulnerabilities to those information assets.

Once you do that, you then take into account what security measures or controls you do or don't have in place. Then you net that out and say, alright, given the above. Let me give you a simple, very, very simple-minded example. I have a laptop, the threat is it may be stolen, the vulnerability is I may not have encryption on it.That's an asset, a threat, a vulnerability, that's a risk. 

Given the above, what's the likelihood of that bad thing happening, a burglar stealing the laptop and accessing that information? You assess that likelihood in consideration of what you may or may not have as controls on that laptop. You may or may not have encryption, you may or may not have strong passwords, etc.

Once you go through that process. And do it systematically across all the information assets and all the underlying component components. You will end up with a so-called risk register. And if you do it  properly and assess the likelihood and the impact of each one of those risks, you'll have a naturally ordered, rank ordered, so-called risk register.

That risk register is what puts you in a position to make informed decisions about those risks. And classically in forever and ever, we have four choices. We can accept the risk. We can then treat it by avoiding it, mitigating it, or transferring it. There's a whole analogous process that can be undertaken when it comes to opportunities.

In fact, when I go through my risk assessment for those risks that are, end up being scored with low values, those, in turn, may represent opportunities for me to leverage. They may represent strengths in my program that I can begin waving a flag and a banner about to say how progressive and proactive I am about enterprise cyber risk management.

So it's hard to do justice. That which is, doc well documented in NIST and ISO and numerous other places. In 100-page documents. But in a nutshell, it's all about what do you risk? What's your risk appetite? Putting you in the position to make those four choices except avoid mitigate or transfer.

Justin Beals: Yeah, I mean, some of the opportunities that I could see is that perhaps, the expenditures on our security practices are misaligned with the most critical risks. So there's cost savings there, right? Like we might be spending more than we need to.

The other side is from a marketing and sales perspective. Can I use these activities? Create confidence? Is that true? 

Bob Chaput: Absolutely. You earlier on you, you reference customer trust. So,as I'm fond of saying, unless one has been on an interplanetary space mission for ten years, you probably recall that Equifax had a major, major breach in 2017. Yeah, they cleaned house.

The CEO, the CIO, the CISO. They brought in a new team today. Fast forward to current time today. Equifax publishes its annual security report. It got serious about this. It understood that brand loyalty and customer trust. We're at a critical, critical low point and something had to be done. There's an example where an investment in a strong, proactive cybersecurity program not only is going to help the sales and marketing, but it's going to be fundamentally core to getting them out of the hole they were in, including, by the way, their credit rating was lowered as a result of that event.

Today, the credit rating has been increased to  where it was. Uh, And now their cost of capital is back to a more normal cost of capital for a business like theirs. 

Justin Beals: Yeah, you know, just  in a purely competitive way, I think about customer retention, you know, so when, when, you know, they lost customers likely due to losing trust in that moment, you know, have gained them back over time.

But as well, when your competitor has a major issue and. You're on the front foot on security and marketing that and making that a part of your brand. You are a haven for those customers that might be looking for an alternative. 

Bob Chaput: Well, while speaking of the competitive landscape, I'm not involved in day-to-day operations in the company I founded in 2009, Clearwater, but Clearwater today works with large hospitals and health systems in one category.

They work with. So-called physician practice management organizations, a lot of consolidation and roll up that's going  on, and they work with health information technology companies. Those HIT companies are going calling on the large hospitals and health systems with what might be brilliant products and solutions.

But they're oftentimes stopped at the door because of their inability to put forth and demonstrate that they have a strong, progressive, proactive enterprise cyber risk management program. Clearwater has been working with lots of organizations to help them bolster those programs and put them in a place.

Where they can use it as part of sales and marketing. And that's all about generating revenue, improving customer trust, driving the growth of your business. That's business value. 

Justin Beals: Yeah. I always think it's wonderful. It doesn't happen often enough. Where good practices, effective operations, a concentration on the ethics of what we do lead to more money, which happened more and more,  but it was one of the things that attracted me to this space.

I thought, you know, we can we can build a solution. That helps people build a more resilient company that helps them get more dollars. Gosh, that's, that's the kind of flywheel I want to see in our, in our technological landscape, in our business landscape, in our cultural landscape. 

Bob Chaput:  It it's, it's absolutely doable.

And this is part of the change in thinking, which is exclusively focused in many organizations and large part on the negative, on the downside of managing, um, the bad things that can happen rather than thinking about how do we leverage the strengths that we have to create that business value? 

Justin Beals: Yeah, absolutely.

You know, um, I read a complaint in your book.  I share it that too often, we purchase cybersecurity tools before understanding why they might be valuable to the business. And in your book, you illuminate, uh, uh, a practice you call the ECRM A budget philosophy. Can you tell us a little bit about what a budget philosophy is and how to utilize it inside an organization?

Bob Chaput: Sure. It's really not that complicated. It's all about thoughtfully deciding how you're going to fund your enterprise cyber risk management activities. And I mean, it could be as dumb, pardon me, but it could be as dumb as the executive team saying, what are you talking about? Our CIO needs to figure this out.

And they and she already has an inflated budget. So just go away into it. It could be, it could be, and it's not typically one sentence, but I exaggerate to make a point. It could be as progressive as along the lines we spoke a moment ago. We view cyber risk management as a value creator and as, as a path towards creating competitive advantage.

And as we take on our thinking and our approach to funding enterprise cyber risk management, We're not only going to think about managing the downside, we're going to be thinking about areas that we can leverage to put us in a better position to increase customer trust and brand loyalty, to drive revenue growth, to make us stronger when it comes to M& A activity.

To help us be in a strong position from a compliance point of view, etcetera, etcetera. Now to get there, and I won't detail it all here, but what I, what I tried to do in the book was to present a number of what I call maxims, some basic points Around which an organization should have some good debate and discussion.

So as an example, one of the maxims  came out of CityBank and their philosophy that was expressed by their chairman, we regard this as part of the ordinary course of doing business. This is not something extra. This is as fundamental to people need computers and desks and lights to be able to do their work.

That's one of the maxims. Another maxim is we're going to base this on understanding our risks. And we talked about that a moment ago. Red. This is a risk-based expenditure, and that's something we're going to do willy-nilly. Another Maxim is a security by design. We have so many organizations that are implementing.

New technology solutions and security and privacy are an afterthought. So what I encourage people to do in the book is to go through a half a dozen of these maxims and kick them around with the appropriate audience and the executive team, notably, and ultimately that team presenting it to the board and saying, we've really thoughtfully.

Develop our ECRM budget philosophy, uh, based on, uh, these kinds of acts and if you will, 

Justin Beals: I thought this was such an incredible tool, um, having worked in a lot of consensus-driven situations, especially when you're building large platforms for an organization, you know, everyone has to get by in that, that, that they're getting what they want out of it.

And if you get too far in the details without a high-level agreement, It can really derail 'cause, 'cause people will complain about a single expenditure. Uh, that's, that's what attracted me to this 'cause if, if we can agree that a, a maxim is that we're gonna be risk centric about where we spend money, then when I say as a CISO or a, a leader on the budget side, Hey, we're, this is our risk.

That's why we're spending money in it. I don't have to explain that, we all agreed. This is what we're doing, right? Yeah. 

Bob Chaput: And it's that, it's that, uh, that a priori agreement that is going to facilitate the more intelligent, informed approach to enterprise cyber risk management. 

Justin Beals: Yeah.  And, you know, you have this quote in your book, uh, In my work with CIOs and CISOs, I too often hear about efforts to build all or part of their ECRM program or strategy within their respective teams, then be shared with the rest of the organization.

And you, you have basically pushed hard in the book that actually it, it starts at the consensus building first. 

Bob Chaput: Yeah, it's, in, you know, many people have said it and not just me, but it has to be a team sport. Everyone in the organization has skin in the game from the board and maybe it's the entire board or committee, the audit committee, the compliance committee, the risk committee.

Yeah. To the executive team, to the next level of management, down to and including people in the engine room, so to speak, people on the front lines. I remember working with an organization that, um, uh, uh, had an epiphany and said, I know what we'll do. 

We're deputizing every individual in our organization as a privacy sheriff or as a security sheriff, that's the tone was set at the top that enabled that to be promulgated through the organization. So creating this, this team sport or creating the right level of engagement, a big part of it is at the front end with governance. That's the question of who's going to make what decisions, how and when using what data and facts.

As it relates to these cyber risk management issues and that the other end on my five-step process of governance, people, process, technology, and engagement, how do we assure people are going to be engaged? Well, that's about ownership of this application or this information system rest with dysfunctional leader, whether it's the chief operating officer, the chief financial officer, whomever. So it's, it's, that's part of it. But the other part of it is building security measures and objectives into individuals, management by objectives or performance goals. However, the organization may operate.

There's an organization in Australia that had a cyber event. The upshot of which was compensation was withheld from various members of the executive team because of that event.  Now we're talking about accountability. Now we're sinking teeth into it. And I don't mean to be punitive about it. But if we really are going to encourage this to be, to have engagement and for it to be a team sport, those are some of the mechanisms that we need to employ.

Justin Beals: Yeah. I mean, certainly, from a people management perspective, I like to say it's 80 per cent carrot, 20, 20%, you know, stick, just, just keep motivation high, but that also has to be an, you know, if we, if we don't perform well on, on the other side, then there, there has to be, well, at a minimum, a change or a consequence to what happens.

We,  I love this concept of ownership. You know, I've seen even inside of our company, we do this annual security training and 30 minutes later, I've forgotten, you know, half of what was covered. But I'll tell you what I always am aware of are the controls that I have a personal responsibility for. And we've tried to engage teammates with.

With literal control ownership, like this is your control. You're expected to operate it. This is the definition of it. If it needs to be changed, you need to let us know. But guess what? You're a security expert to I 

Bob Chaput: had an interesting experience along those lines. Uh, assume the role of a CIO and large healthcare company that I mentioned, and it was the annual budget cycle.

And I faced a, um, uh, a group of internal customers who complained that we did things too slowly. They were not good quality. There were issues left and right. And, it costs too much money, right? The old cost quality and, uh, and schedule. Uh, so when it came to budget time, I said, I'll tell you what, this is going to be a zero base budget until or unless you as business leaders stand up and say, I own the electronic health records system, I own the patient accounting system, I own the pharmacy system,  it's not, these are not applications or systems that are owned by or owned by it.

And when you stand up and take ownership of that entire portfolio of applications that we supported, then the next question became, who owns the risk related to those? So it was, it was an evolution and, and the ownership is such a key, key component of the level of engagement that we need. To make this the team sport we talked about.

Justin Beals: Yeah. And when it's a team sport, we communicate with each other about what our shared expectations are about what we're going to achieve. And it's just such a stronger security posture because now we, we are a part of it. We consider ourselves a part of it. Yeah. It's not happening outside of us.

Absolutely. There was a, you know, in your book, you talk about three major components of the ECRM program and strategy, and I'm wondering if you can help us identify these three and their use, the framework, the process and the maturity model. 

Bob Chaput: Sure. Yeah, I regard these as really foundational, as building blocks.

To a good program. So the framework, um, basically is a, is a, a mechanism or a tool to help you articulate. What your desired outcomes are, and what it is you're trying to achieve with your enterprise cyber risk management program. My classic go-to tool and recommendation is the so-called NIST cyber security framework.

In fact, the NIST cyber security framework includes a section on implementation. That is all about starting with business goals and objectives and how those translate into what you're hoping to achieve with your security program. So number one is the framework and think about that  as your articulation of what you're trying to achieve.

Number two is the process. How are we going to go about achieving those goals and objectives that we just communicated or articulated? By way of our work with the framework and my go-to process. I'm a huge fan of everything. The NIST, the National Association, the National Institute of Standards and Technology has done, and they're a compendium of great documents.

Process-wise, I would start with something called NIST Special Publication 800 39, which is about information risk management. In that, they articulate a four-step, four macro-step process, frame your approach to doing risk, hence the framework, assess your risk, respond to your risk, and monitor your risk.

That's the process. If the framework is about what we're trying to achieve, the process is about, uh, how we're going to go about doing that. And [00:40:00] then last but not least is this notion of a maturity model. And this is a, this is the third component. Maturity model is really, in, plainer language, how are we going to get better and better at this?

It is about process improvement. In this particular case, process improvement around your enterprise cyber risk management process. And the maturity model, um, there are many of them out there. For those of us who have been in software engineering, software development are familiar with CMMI, uh, Capability Maturity Model Integrated, which came out of Carnegie Mellon years ago.

The ISACA group,  using COBIT,  has a maturity model that's adaptable. I don't know of a pure play NIST. Maturity model for cyber risk management, but I have found organizations. And in fact, Clearwater, which I mentioned before, has done a great job at adapting both of those tools to be used as the basis of a maturity model.

But fundamentally it gets to, how are we getting better and better? So number one, framework. What are we trying to achieve? Number one process. How are we going to go about doing it? And number three, maturity model. How do we get better and better at this continuous process improvement, if you will? 

Justin Beals: Yeah, absolutely.

I was wondering,  with the time that we have left today, I wanted to dive into one aspect of security broadly, a little more deeply. And I think it's something in You've probably had some, um, unique perspective on having managed large businesses that have a lot of vendors that they're working with.

So, I think third-party risk management is the term du jour. I certainly , as a vendor in a space, filled out a lot of self-assessment questionnaires over time, you know, to just, I guess, give a perspective on what we did, uh, that I don't think was precise enough. And I would have customers like Goldman Sachs that would literally audit, you know, our technology before they do an adoption.

And then we've really moved into some more like standardized assessments lately. But I still think that buyers are just struggling to trust this. These assessments. Do you have any thoughts on the future of, you know, third party risk management, or if you could wave a magic wand, what you'd like to see, uh, in this realm?

Bob Chaput: Yeah, well, I'll, I'll start out by giving you a little personal example, call it a karma. Uh, so I mentioned, uh, early on, I, I hired, created the program and hired the first chief information security officer. In Johnson and Johnson, fast forward the tape to the days. When I founded Clearwater, I was trying to earn the business of Johnson and Johnson, and I get this 154 page,  security policy and procedure, which was basically 154 pages of controls, uh, to which they said, respond to each of these and tell us how you're doing this.

Ironically, I'm the one that started it. It's tough. It's, it's crazy-making. And yes, there's been some move sort towards some standardization in some of these assessments, but  it's really still a mess. I feel the pain. I understand the question, understand the issue. I think the solutions end up involving,  a handful of critical things.

Number one, I'm going to use the word legitimate, legitimate and meaningful certifications. There are some head fakes out there and I won't name names. I'll protect the innocent. But there are some also very respectable certifications out there. For example, if you want to do business with the government, FedRAMP, and then an emerging  requirement in the defense industrial base is a so-called CMMC, cybersecurity maturity model certification, that by the way, is a sidebar.is starting in the D. O. D. One of the part the departments in the executive branch of government. But stay tuned. I see that promulgating around in other agencies within the federal government. 

Justin Beals: So we have a lot of customers that are doing C. M. M. C. Right now. 

Bob Chaput: Absolutely. And, and, um, it's not perfect. None of these are perfect, but it's, it's nuts and bolts and gets that obviously in a special publication, 800 dash,  one 71 following 800 dash 53.

Sorry to talk gibberish for people who don't know those, but it's, it's pretty solid stuff. So number one is, um, legitimate and meaningful certification. Number two is contractual language. And contractual language ranging from, um, a requirement  that the vendors provide proof of a solid, progressive, proactive cyber risk management program.

Another aspect of the contractual obligation should be around notifications, as an example. And the third area is in, and I know there's a lot of work in this and various industry sectors, but it's around information sharing. And that gets a little dicey at times because of the competitive landscape and who wants to raise their hand and say, I've been hacked because I had this ridiculous vulnerability.

But I think that's part of it. , I think that we talked about regulations before, but I'll make the point again. As, as this matter of third-party risk management is affected by, um, regulations, we really need to rationalize and deconflict, uh, and reconcile this mosaic of global, federal, state, et cetera, regulations that are out there.

Justin Beals: Well, this has been an exceptional conversation, Bob. I want to, um, just, uh, share with my listeners that I really enjoyed, this is going to sound weird. Reading your book. Um, certainly, uh, one of the things I deeply enjoyed about it is not only do you have a high level perspective for very large organizations on the process, but they're all along the way.

They were very pragmatic. You know, do this. Here's an example of how to do it well and what to look for as an outcome. And I, in a way, a technical manual for being able to achieve,  some a great enterprise cyber risk management, um, practice inside the business. Tell us just briefly would love to learn a little bit about where Clearwater security is going, for you and the business. Yeah. 

Bob Chaput: Yeah. Well, in a nutshell, as I alluded, I founded the business in 2009 and I'll ] be very, very frank about it. Everybody wants to talk about this big genius business plan and that they did the walk in the woods and pontificated and no, I was waiting for my wife to retire.

And the high-tech act was passed, and former friends and colleagues called and said, yeah, it looks like they're putting some teeth into the HIPAA regulations.  You know, can you help us? And I'd say, well, what do you need? And they'd say, well, this, that, or the other thing and say, I think I can do that.

It started out with me and my laptop and my knapsack. Schlepping around, doing whatever people needed to have done. And I got to a point where I developed some good intellectual property and wanted to sass size it. I hired a former friend and colleague. We developed some  web-based applications.

At that point, the vision was no greater than sitting on the beach watching PayPal ring as somebody subscribed to the next subscription. Well, I'll fast forward from 2009, 10 and 11 to 2017. There was no beach time. That vision did not work out at all. At the time I read the book the Four-Hour Work Week for me, it turned out to be a 104-hour work week.

I got to the point in 2017 where having bootstrapped and self-funded the company, I thought, we have something here. At that point in time, we had 70 people in the organization. We found a financial partner, a private equity firm, El Terra's Capital Partners, out of New York. They've been great. We've had nothing but a terrific relationship.

I've moved out of operations and day-to-day activity into the role of executive chairman. It's been just a delightful run. We're now a 200-person-strong organization. We're the largest pure-play cybersecurity and compliance, uh, vendor solution provider in the healthcare industry today. And we have over 600 active clients.

It's terrific. And we're on now as a result of some of the continued enforcement and regulatory change. We're not only working in the health space but also within the, uh, the defence industrial base. And we have a lot of good things going on in both areas. So the essence of your question is, where is it going?

We see nothing but great growth from this point forward. 

Justin Beals: That's super exciting, Bob. Well, I highly recommend to all our listeners to check out Bob's book and, uh, really appreciate you spending the time and sharing your expertise with us today, Bob. 

Bob Chaput: My pleasure, Justin. Thanks very much.