# #

October 25, 2021

CISO Interview Series: The Transformational CISO with Dan Walsh of VillageMD

This webinar is part of our new series, The Transformational CISO, where we get to know forward-thinking cybersecurity leaders across all types of companies and industries. In this installment, Drew Rose, Living Security’s CSO and co-founder, sat down with Dan Walsh, CISO for VillageMD, one of the leading providers of value-based primary care services.

Missed the webinar? We've included a recording of their conversation as well as the full transcript below.

Highlights from their conversation:

  • The importance of understanding your end users’ priorities.
  • How to transform your security team’s reputation from impediment to enabler.
  • The percentage of US hospital networks that have been impacted by ransomware.
  • Just how vulnerable are medical devices to IoT exploits?
  • What exactly do threat actors do with patient health information?
  • The big security threat in healthcare isn't what you'd expect. 
  • Should security professionals focus on creating a better mousetrap or something altogether?
  • How do you change security behavior in someone's home?



Drew Rose: Welcome to The Transformational CISO, a series of conversations with CISOs leading some of the most innovative companies on the planet today. My name's Drew Rose, CSO and co-founder of Living Security, leading the charge in human risk management and behavior change. I'm excited to introduce you to Dan Walsh, CISO of VillageMD, one of the leading providers of value-based primary care services. And we're going to have a great conversation.

Dan Walsh: Thanks for having me, Drew. Good to be here.

Drew Rose: Yeah, absolutely. So the first thing I like to ask any CISO on this show is kind of a little bit about your history, your path.

Dan Walsh: Sure.

Drew Rose: How did you get to where you are today? Because it's never the same for anybody.

Dan Walsh: Right, right.

Drew Rose: And there's always these inflection points throughout your career that kind of puts you on the path of forward thinking, innovation, and trying to do more than what you did in the previous years.

Dan Walsh: Great question. So I started my career as a data miner actually and then from there, went into data application development. And I always had a passion for having high-quality software. Part of quality in software is also secure software. You can't have high-quality code or high-quality software without it. And so, one thing led into the other. And the next thing I knew, I was working in security at UnitedHealthcare, a part of UnitedHealth Group, and that's how it became a CISO.

Drew Rose: Okay. So that was a very quick turn. That is like as a year or two, right? When you were data mining, that's very... Number one, can you explain what data mining is to me?

Dan Walsh: Sure, yeah. So data mining has a couple of definitions, but primarily, it's how do you extract data that it might be on systems that isn't through like traditional reporting methods. So that's how you acquire some of the data. And then there's the analysis of the data. So what are these data trends telling you about the business that you're working with or the problem that you're trying to solve?

Drew Rose: Okay. So what was one of the biggest exposures of security risk while you were data mining?

Dan Walsh: Well, obviously, being a data miner, you have a ton of elevated, privileged access. You have access to all the data. And so that's super valuable and something that needs to be handled with care.

Drew Rose: So during that time of your career, were you the only one thinking like, "Oh, this is a big risk. I should protect it." And who was in charge of protecting it then?

Dan Walsh: Yeah. At that point, I would say it probably wasn't on the forefront of a lot of folks' minds. But again, going back to doing a high-quality job, that's how I began to think about security.

Drew Rose: So, I mean, was there anything personal like in your life that like... Because I know a lot of engineers. And it's very clear, the engineers that care about secure coding and creating stable software that can scale and just continue to be secure. Is there anything about your personality that you've been able to discover like, "Oh, this is why I care so much. This is what led me from being a CTO to a CSO or CISO"?

Dan Walsh: Yeah, there is. So first and foremost, I come from a very heavily military family. My mom and dad both met in the Navy. And so I've always had a sense of trying to serve and protect. And I kind of extended that to data security, cybersecurity.

I also think a lot about my grandmother. Her name was Dolores. And when I would talk to her about security, she really don't understand it. She's like, "Well, isn't that what you're supposed to do? Isn't it supposed to be secure?" Right? "Why is it different? Why is it..." Because when she was growing up, it wasn't even a thought. And so I think those two things, my grandmother's expectation of, well, of course, it's supposed to be that way, and then also coming from a military family and having this desire to protect and to keep things safe is really what kind of drives me personally around security.

Drew Rose: Yeah, that makes sense. And your grandmother... I mean, this isn't like a trope or a stereotype on grandmothers. Her feeling of, it should be secure, I should be protected, I shouldn't have to think about that, that is one of the biggest challenges I think we face in the security world is this expectation that the professionals are doing their job at 100%...

Dan Walsh: I agree.

Drew Rose: ...when really the professionals are humans, and they're bound to make a mistake. And that's why we need to make sure that as that kind of that first and last line of defense, that the other humans on the receiving side of this application are prepared if risk comes into play.

Dan Walsh: Yep, I would agree.

Drew Rose: Awesome. I'd love to talk... Are you one of the people that sits your back to the wall, that you're facing the entrance of the cafe, like you're always assessing risk?

Dan Walsh: If I said no, I might be lying a bit, but I would say 80% of the time.

Drew Rose: In your role at VillageMD, you guys are growing rapidly. You're bringing on new providers all the time. You're in a highly distributed and technical environment. What are some of the challenges that you're facing today?

Dan Walsh: Well, so one, the way that you grow a physician company is by buying physician practices. We can't just go manufacture them. We also can't manufacture patients, right? And so the big challenge... There's a couple of big challenges. One is operating within healthcare, highly regulated. A doctor's primary focus is, am I working off a Windows 7 machine? Does this turn on? Can I access my EMR, and can I treat patients?

And so with these integrations, often, they may not have top-line security because maybe they're a small practice. Healthcare in general tends to kind of lag behind a little bit, because again, the investment is going into the patient side. And we haven't quite rounded the corner. I think we're getting there where we attribute cyber safety to patient safety. And that's the connection that I'm really passionate about making at Village is that keeping our patients data safe is part of caring for the patient. And so, I think that's a big challenge.

I think the other big challenge that we face that I think just people see anecdotally in the news and the media is things like ransomware. There was a clinic in Indiana that made the news earlier this year. They had to turn ambulances away from the emergency room, because their EMR was taken over by ransomware. So they literally couldn't treat patients. People were in the way to the ambulance, and they had to reroute them to another hospital. There was an article earlier this year also that said that 48% of hospital networks have been impacted by ransomware. So that's almost half of the hospital networks in the US impacted by ransomware. So that's certainly top of mind.

And then also working at Village, we have a very distributed end user base. We've got security folks, IT folks, marketing folks. We have doctors. We have nurses. We have operational folks. And so each of those present a different human risk. They also come with a different set of experiences, which also factors into kind of the way that they operate, having different levels of access, so on and so forth. So it's a very interesting environment to kind of work to secure.

Drew Rose: So the connection between patient safety and cyber safety and tying that together. I mean, we've heard some of the stories you brought up, back when the Ariana Grande bombing happened, and we had the big ransomware over in England, same stories. Hospitals were turned away. And when we're talking about minutes to save lives, that could impact the life or death of a person.

And those anecdotal stories, do you feel like they go the distance needed to reach the doctors to say, "Oh, I'm going to think about upgrading. I'm going to think about investing. I'm going to think about this new process," or do you feel like you have to go and find more data, more details to kind of connect the dots between cyber safety and physical safety?

Dan Walsh: I think when you actually have a conversation with them, have build a relationship with them, they get it. Is it top of mind for them in their day to day? Maybe. Maybe not. I mean, again, their job is to see patients. But when I sit down with them, and I talk with them, or I might send an email out communicating whatever, I do think they really do respond to it well. There's definitely a desire. This might sound terrible, but every other day, there's some massive story about some cybersecurity incident somewhere, and people are definitely catching on.

Two years ago, I would've said differently but the last 18 months... It seems like once COVID started, like it just exponentially ramped up. And so I do feel like we're getting there, but I think the key is how do you link their behavior at work to that knowledge of these things are going on, these things are possibility. How do you make that connection to like this behavior that I'm doing could actually result in ransomware?

Drew Rose: Yeah.

Dan Walsh: And so that's the connection that we're still trying to make. I think we're going to be successful, but that's the journey we're on.

Drew Rose: So let's dive in a little bit into relationship. And I like to get tactical in these conversations, because I know there's other people that are in similar shoes as yours. How many PhDs, how many doctors are in your realm of business?

Dan Walsh: That's a great question. Don't quote me on this. 800 maybe...

Drew Rose: Okay.

Dan Walsh: ...and growing. Yeah.

Drew Rose: So you mentioned like building the relationship, having that relationship established. So, from my perspective, they know who to talk to ask questions. So how do you scale that? I know you don't have 800 doctors on speed dial. You'd be probably the healthiest guy here. You're going to live forever. So how do you scale those relationships where it feels personal, but it's also, you have a full-time job?

Dan Walsh: I think part of it is getting to work with... It's a combination of working with the leadership, so it kind of comes down. And then when you do have those interactions, making sure that they're meaningful. The first thing that I do is if someone comes to me with a security problem or a technology problem, I'm happy they came to me. Even if it's because like, "Hey, I clicked on this link, and I got phished." And like, "Okay, that's what happened. Let's talk about how we're going to move forward here."

And then also like enabling the business. So I've seen situations where someone will do something that's a really poor security thing to do, but it was because there was a business obstacle in the way that forced them to find a way around it. So how do we remove that business obstacle? If the security's in the business of removing business obstacles and enabling the business, then I think that relationship can be very good.

Drew Rose: Yeah. So almost instead of being a blocker to getting your job done efficiently, kind of being an enabler.

Dan Walsh: Yeah. Customer service could be a synonym for security. How can we serve you today? Like I'll give you a great example. We had one group in our company that needed to share files with an outside entity. And they were concerned they were going to violate security policies in doing that because we have certain tools that we use. And so I said to them, I said, "Listen, you will never get in trouble for asking me." So make the problem the securities' problem. You say, "Hey, I got to share these files with this third party on this time, and I don't know how to do it. So here you go. Go." And we're happy to take that. And in the process, we're going to educate them. Maybe we'll find a business gap or a gap in process or gap in tooling because our company is growing so fast that we'll be able to implement so other people can benefit from it. And now they know how to do that in a secure way going forward.

Drew Rose: Yeah. So interesting. A lot of Living Security clients that are maturing in human risk management are taking this approach on ambassadors or champions. Considering how distributed you are and you're working with nurse practitioners and doctors and administrative people at these locations, do you find yourselves maybe being able to adopt like a champion program where the people that are raising their hands saying, "Hey, I have a question, Dan." And then you can say, "Hey, thanks for the question. I was curious if you'd like to join us." Do you see that working in your field?

Dan Walsh: Yeah, and we have a version of that right now. So we call them our compliance champions, because in the clinical world, compliance, I think, resonates with some of the clinicians maybe more than security does, because that not only do they have HIPAA compliance, but they have NCQA and a bunch of other alphabet soup that I bet I may not fully understand, but I'm coming up to speed working at Village.

And so, we'll do things like, "Hey, we want to do like a clean desk check in the clinic. So here's a check sheet. And can you walk through and look for Post-it Notes on monitors, unsecured laptops, like some of those things." And so, I do think that is something that we're utilizing, and it's something that we want to continue to invest in.

Drew Rose: When you think about new technologies and technologies entering into healthcare and the trust of the new technology in the doctors and the patients, are you feeling like the doctors are given enough resources to understand the technology, to understand the risk that that technology that they're bringing into their practice?

Dan Walsh: I would say at Village, I think we're at a point where we're there or almost there. And the reason for that is as part of the procurement process or as part of the investigative process, we have legal requirements, legal review. We have procurement review, and we have security review.

Drew Rose: Okay.

Dan Walsh: And we work as one team. And so, we've had vendors come in that might look good on one firm but not the other. And so, what we do is we will actually assess that risk from a legal procurement and security point of view, and we will present that to the business, and then they can choose whether or not they want to proceed.

Now, sometimes, it's so bad, like we'll just say, "Hey, we recommend not doing this. Do not move forward. If you do, we're going to need to get some very executive level sign off," but we really haven't seen a lot of that. But I think, again, what is the business problem you're trying to solve? And can we partner with you to go find maybe something else that will help solve that problem?

Drew Rose: So, on that same subject, we've also heard in the news and stories coming up being able to hack pacemaker, and pumps, and things...

Dan Walsh: Yup. [crosstalk 00:14:16] devices. IoT.

Drew Rose: ...of that sort that are connected to the IoT.

Dan Walsh: Yep.

Drew Rose: I am from the outside looking in...

Dan Walsh: Sure.

Drew Rose: ...and those stories, those are things that I want people to hear, because I think those are the stories that make a difference when you think about patient safety, patient care from a clinician perspective.

Dan Walsh: Yeah.

Drew Rose: I mean, is this realistic? Is this getting worse? Is it getting better? Are you still running into old firmware on these new devices that are getting installed in humans or being used in patient safety?

Dan Walsh: I would say the industries in the process are cutting over. They definitely hear it. There are now major companies that they specialize in medical device IoT like vulnerability management and monitoring. And the reality of it is firms that kind of have a security mindset, they're the ones that are going to basically, I think, hopefully, thin the field out a little bit for the devices that aren't supported or that might have a dependency or incompatibility issue, and they can't be upgraded.

But I do believe that... And I won't mention names, but I do know there's major medical device manufacturers that have invested heavily into their security. I think where the disconnect might be is when you've got smaller, more regional health systems or smaller, more regional clinics, and they just don't have the resources to invest to go purchase a tool that's going to scan for vulnerabilities.

Drew Rose: Yeah.

Dan Walsh: And so they're just kind of hoping and praying that nothing happens.

Drew Rose: Because those tools, the tools that are leveraging like the third-market vulnerability scanners, I mean, they're going to be more expensive, right?

Dan Walsh: Oh yeah, absolutely.

Drew Rose: Because they're going to be investing more money to make it sure they're secure.

Dan Walsh: Yeah. Some of these companies actually work directly with the manufacturers of these devices, and there's a lot of business involved there to make that work. And so yeah, those [crosstalk 00:16:00].

Drew Rose: I see the job title of product security specialist, product security engineer starting to bubble up in a lot of hardware...

Dan Walsh: Yep. Absolutely.

Drew Rose: ...which I like to see.

Dan Walsh: Yep. Yeah, it's definitely... If you're a person looking to make a career switch or getting into a career out of high school or college, it's a great place to go.

Drew Rose: Yeah, that's awesome.

Dan Walsh: Yeah.

Drew Rose: So, ransomware hospitals impact huge. IoT, we've heard about over the last five or so years. Think inside healthcare and outside, but what are some of the threats that are flying under the radar?

Dan Walsh: So I would say shadow IT. A lot of folks in the healthcare system are used to just being like, "Oh, I need this thing, so I'm going to go buy it." And especially, like maybe in the doctor space or the office manager space like, "Oh, just put it on the company credit card and buy this little tool that can help us do this particular use case," and not really realizing that, "Oh, wow, this is actually..." Maybe you need to have security, but it's so small.

Healthcare's a data-intensive world, and all of it is regulated pretty much. And so, the other big risk is just data leakage. You got all these SaaS, file sharing systems. And so, we got Dropbox, Box.com, Google Drive. You've got all these different ways of sharing files and unless security teams are super aware of that, that can be a problem as well. And so I think that's always a big issue.

The days of gigantic cartons of files of PHI printed out, they're kind of going the way of the dodo, so to speak. And now, everything's electronic. And so it's this electronic way of sharing PHI.

I think the other thing too is when you're dealing with PHI every day, the human reaction to that is like, "Well, it's PHI. Of course, I have to create it safely," but do you really?

Drew Rose: Yeah.

Dan Walsh: And so, it's that constant reinforcement of like this is why this data's so important to protect because of kind of what it represents to the patient.

Drew Rose: What are the cyber criminals doing with PHI today?

Dan Walsh: So depending on what study you look, a PHI record is worth between $400 and $500. And so they're selling it. It can be used in multiple ways. It could be used to steal identity. It could be used for social engineering.

If I know that you're on blood pressure medication, I send you an email that says, "your specific blood pressure medication's on back order. Click here for another way to order it." I'm probably going to click on that. If the bad actors know what your children's medical history is, and they send it to the grandparents or the parents. I mean, the possibilities, I think, are really endless, but the goal is to monetize it.

Drew Rose: I read this briefly maybe a year ago about PHI being leveraged to get actual surgeries. Have you seen that?

Dan Walsh: I have not seen that firsthand, but I have heard about that quite a bit where it's like medical care fraud and going to the dentist and getting the teeth treated, and they think it's someone else. Because it's expensive. Healthcare's super expensive. So, I think there's fraud going on in all different fronts when it comes to healthcare.

Drew Rose: Yeah. That's like the long con. I feel like you just can't buy PHI and then walk into the hospital. "Oh, I need to get..."

Dan Walsh: Well, there's also the long con... When you think of the long con when you think about Medicare and Medicaid, right? Government programs that provide reimbursement. There are fly-by-night clinical providers that just pop up, and they'll collect a bunch of Medicare. I have read about one scenario where they were offering a big screen television if they let you photocopy the front and back of your driver's license and your Medicare card. And then they were fraudulently billing Medicare for that.

Drew Rose: So they were just outright, "Hey, I just..."

Dan Walsh: Just flaunting it.

Drew Rose: I'm not even trying to hide. Like I want steal your identity.

Dan Walsh: I'm going to give you this 30-inch television, you let me, and you won't get a single bill in the mail and people will do it. It's crazy. It's crazy.

Drew Rose: I always felt if I were a cyber criminal, like a little bit of an investment, I bet you I could have insane returns using real life like...

Dan Walsh: Absolutely.

Drew Rose: ..."Hey, fill out this survey. I have a $5 Starbucks gift card." Like legit, like a real Starbucks gifts card.

Dan Walsh: Look, number one, there are these ransomware gangs and other bad actors. They literally have product teams now.

Drew Rose: Yes.

Dan Walsh: And then the other thing is, yeah, this is what crime pays, so this is why this is going to continue to happen. This is why making people more aware, reducing that human risk is so vital. Because people almost have their head on a swivel, so to speak. And being aware that that email that's being sent to you, that text messages being sent to you, maybe that search result, it could potentially be a bad actor trying to extract value out of you and get information that you have from you.

Drew Rose: All right, hot take. What do you think of cyber criminals that say they don't target healthcare?

Dan Walsh: I mean, I appreciate it in one sense because I'm a healthcare CISO, but the other hand, it's like, okay, so there's a victim somewhere, right? So you're still... I mean, I'm glad. I guess you have that one level of ethics, but you're going to financially ruin somebody, and maybe they can't afford to pay for their healthcare bill. So to me, it's kind of all the same.

Drew Rose: Do you believe them when they say something like that?

Dan Walsh: I don't know what to believe anymore. I think if it was like you can get a million dollars and not kill anybody, they would do it.

Drew Rose: Yeah. So talk to me about investment right now. You have a pie graph. You got personnel. You got technology. You got endpoint technology. I'm sure you got some type of insurance and legal services. And then you got people. What does that pie graph look like today, and how is that shifting from five years ago to today to maybe five years from now?

Dan Walsh: So I'll talk broadly about the industry, and then I'll talk a little more specifically about what we're doing at Village. I would say the industry has shifted from more GRC compliance space to more product security.

Ransomware, I would argue wasn't even a thing three, four to five years ago. No one really ever heard of it. And then when you did hear about it, it was as novel as the cloud. And so I think that's a big shift. And I think that because that's been a shift, the money has followed that into those products.

I would say that we're getting to the point now where that market is not quite saturated. We're going to move on to other product security type of areas like the software supply chain. But what's going to happen is because we didn't completely solve that problem and cybersecurity threats are still going up, we're going to start circling back to some of the other things.

And we're seeing that now with some of these GRC platforms, where it's like SOC-2 in a box. You plug these controls into your client environment, and, boom, you have an instant SOC-2. We're seeing this now with... This is why I think Living Security is really on an exponential growth phase is because, okay, just the traditional compliance check the box train didn't work. So now what? Right? And that's not that you guys are cracking.

I think from kind of at Village, we are growing super fast. The company's over doubled since I've been there. I've been there a year before it doubled. And we're going to continue to grow like crazy. And so, I think for us, we keep an eye on the threat environment. But because the growth is what it is, we really need to make sure that we're building that. Because we're actually building culture on the fly. Like we have a culture and as people come in, they come in and that culture continues to grow and to change, which is great. We need to make sure that security is a part of that. And so that's really what I'm so focused on.

In terms of spending on that, it's kind of all over the place, to be honest with you. Because we're growing, we might realize like a technical platform or a technical solution needs to be abandoned in favor for something that's more scalable. And so we'll make sure that the security companies that... Same thing with the of third-party vendors. And then people growth, like we're growing the team pretty healthily. The company's been wonderful about investing in security. But also with that should come some level of economy of scale. And I think we'll get there sooner than later. But I think when a company doubles like that in a month... Or in a month, in a year. Thank God. I thought a month. But in a year, you're really going to be, I think, growing up on all cylinders.

Drew Rose: So endpoint security turned into endpoint detection response. Web security turned into client access security broker. SIEM's turning into XDR. Like we're getting brand new technologies that are kind of taking over and overshadowing the existing kind of legacy technology. Do you feel like that is as a transformational CISO thinking in the future, is that going to continue to be the trend? Like we're going to have these new technology pockets popping up. Or at some point, do we expect like what we have to do a better job to help reduce the risk of the new attacks and threats that they're not being able to protect us today?

Dan Walsh: Well, we're going to go one or two ways, I think. Either we're going to continue to evolve in the next best mousetrap, or we're going to learn how to connect those instances of those technologies across organizations, across our company, across our nation, across the world. So as an example, if I click on a phishing link that... If I could click on a phishing link and I end up giving out client information, shouldn't that trigger a secure alert to my client? It doesn't. What do we do? We have a security incident. We look at what our contract says in the security section about notification. That's not solving the problem. The problem has to be a developer submits up for request to master. They introduce an open-source vulnerability. An alert get sent their SIM and to their client SIM.

If we don't get there at some point... Again, this might be 20 years down the road. I don't know. But if we don't get there at some point, we're going to continue to iterate on the next best mousetrap. And CSO are going to continue to be frustrated because they're going to have 17 tools to do 18 things when they just want three or one. I don't know. I think the future's yet to be written on that regard but from my simple way of thinking about things, that's where, I think, it could go to solve that problem.

Drew Rose: I can't predict the future. I'd like to see the investments that we're making continue to pan out where CISOs can focus on human risk versus replacing technology every two years.

Dan Walsh Yep.

Drew Rose: I think it's a better investment in time and resources.

Dan Walsh: Yeah, I would agree.

Drew Rose: But to your point, I think we need to put more pressure on product security companies to do a better job to develop secure products and to be more transparent in where they are, so we can fully understand and assess.

Dan Walsh: Well. And to that point, right? What has COVID done? It's forced a lot of the companies that we work with to go remote. And so the boundaries between home and work are completely erased. And can I expect an employee who reuses their password on Hulu, Netflix, Disney Plus, and ESPN Plus to come in and not reuse their passwords at work?

Drew Rose: Yep.

Dan Walsh: Can I expect an employee who clicks on ads in their Hotmail to not click on a phishing email at their work corporate email? And the answer is no. So the challenge for us, Drew, is how do we educate the whole person? How do we change their perspective entirely? And it's another reason why I'm very passionate about doing that with young people, even in like middle school, high school, and college. But that's a challenge that we have is trying to really change the whole way that people think about it and all across their life. Because that perimeter between work and life has been completely erased.

Drew Rose: Somebody wonderful just said a couple weeks ago. We're not living from work. No. Somebody great just said that we are not working from home. We're living from work.

Dan Walsh: Yeah.

Drew Rose: And I thought that was like, yeah, we are spending more time at our house working than we were actually living...

Dan Walsh: Right.

Drew Rose: ...if we get sleeping out of the picture.

Dan Walsh: Yep.

Drew Rose: And we need to recognize that. And so, I mean, just the last point here. So how do you tackle that? How do you bring personal decisions you're making into like how this affects your organization?

Dan Walsh: You need to make, as much as possible, security blameless when things go wrong. You have to build relationships. How do you change behavior in someone's home? That's a very intimate place. So it has to be relationship driven in my opinion. Look, the internet, like the whole internet of things could be like... It's a wonderful thing in some regards. It's also a very evil thing in some regards. And so like at the end of the day, it's this personal connection, personal relationships. And so, if you can communicate that out through your program, if you can communicate that with your day-to-day interactions and try to think about creatively how you kind of mix that up. If you can identify those hotspots in your employee base and then focus on those, that's how you do it.

Drew Rose: Yeah. I love that making security blameless starts at the top. Executive leadership needs to be on the same page. I really think... This is my last point. 10 years ago, security used to be cybersecurity, InfoSec, IT's problem to solve.

Dan Walsh: Yeah.

Drew Rose: Five years ago, where it made all this investment in time, money. We got the checkbox security right. Training wasn't working. So what happened? Security became everyone's responsibility. What we're starting to see is that the accountability of having a secure team is fallen on the manager or the director, the midline person that has a team. And it's very interesting that that person, that manager, is the one that's paying the bonus, given the days off, getting the promotion. They have more influence on the behavior of an employee and teaching them than the CEO itself, than the cybersecurity team or the CISO. You're not writing the bonus checks.

Dan Walsh: Correct. Right. Right. Right.

Drew Rose: And so I think we're going to start seeing this kind of rise of the BISO...

Dan Walsh: Yep.

Drew Rose: ...rise of accountability for VPs and directors. And I'm excited about that, because if can show them where they lie... "Hey, senior director, you have the most risky department in the whole company, and that's costing us dollars." Bottom line, you need to do something about it. And then they're activating their team like a squad.

Dan Walsh: Yeah.

Drew Rose: Sergeant squad leader.

Dan Walsh: Yeah.

Drew Rose: They're activating their team that they have the strongest relationships with to do a better job. And I'm excited to move in that direction, because I think that is going to be the most efficient way that a CISO like you can get the message out to your team when it comes to risk.

Dan Walsh: Well, plus that if you gamify it, people like a healthy competition too.

Drew Rose: Yes. Yes. I love game-based training gamification, building relationships through ways that people like to learn...

Dan Walsh: Right.

Drew Rose: ... and they're not to be taken advantage of. That is a core motto of Living Security and what we believe in. So Dan, thank you so much for having me...

Dan Walsh: Yeah. Thank you.

Drew Rose: ... on Transformational CISO. This was a great conversation. I'm sure we got some good nuggets to share with our viewers out there in the world today. So thank you so much.

Dan Walsh: Thank you.

Never miss another update: sign up for our mailing list and be the first to hear about events from Living Security, including the rest of our Breaking Security Awareness webinar series. 

# # # # # # # # # # # #