How VillageMD Is Driving Proven &
Lasting Change In Security Culture

With Unify Insights

The Client

Dan Walsh is the CISO of VillageMD and is an industry leader in the health technology space. VillageMD is a leading provider of healthcare for organizations moving toward a primary care-led, high-value clinical model. The VillageMD solution provides the tools, technology, operations, and staffing support needed for physicians to drive the highest quality clinical results across a population. VillageMD works with physician groups, independent practice associations, and health systems to improve quality, deliver a first-rate patient experience, and lower costs in the communities they serve. As the CISO of VillageMD, Dan Walsh is always focused on how he can use data to empower the business and to make necessary changes
He comes from a security application development and data background, and has worked in Fortune 10 companies all the way down to advising startups. He has worked on maturing security programs at scale through the strategic investment in people and sustainable and repeatable processes and identifying tools that support them both. Dan is a security startup consultant, former adjunct professor, security examination developer, and contributor to open source security projects. Dan’s broad background and diverse experience provides him a unique opportunity to see how different companies address their specific security challenges. In the end, however, no matter large or small, technical or academic, the root of the problem is the same: Human Risk Management. Dan knows that data is important, but a data-driven approach means nothing if the human element isn’t highly considered.
To empower behavior changes across his workforce, in previous organizations, Dan tried to pull together in-house automation and scripting to pull and aggregate data on cyber risk within his organization. However, the data came in like a flood, and there wasn’t always an efficient, streamlined way to make sense of the data, select the greatest threats, and make clear decisions about what to prioritize.

“How do you use that data to empower the business, to make the change? Because if we’re a compliance-based security awareness program and just pushing people to change, then we’re telling them what to do as opposed to showing them the data and to empower them to want to change on their own. No one goes to work in the morning and says, ‘Hey, today I want to be the least secure employee in the company.’ So if we provide that data to them, then it’s an opportunity to be like, ‘Wow, didn’t realize that I had this blind spot, and I need to correct it.'"

CISO of VillageMD

Daniel Walsh headshot Daniel Walsh headshot VillageMD Logo Hor CMYK RT

The Solution

MEASURE WHAT YOU WANT TO KNOW AND REPORT ON WHAT YOU WANT TO CHANGE

After spending hours and weeks to make sense of the raw data, Dan and team were able to identify some points of interest. One point of interest was a team within the organization was under more significant threat than other divisions due to their access, but the question remained: ‘How do you make sure that your team is secure and prepared for the attacks they are facing, without embarrassing people, punishing them, violating privacy, or disempowering them?’

In another sense, now that we know where this significant risk is in our business, what actions can we take to decrease the potential threat? In Dan’s words, he believed that the best way to mitigate the human side of risk or to manage human risk is to “measure what you want to know and report on what you want to change.”

That meant he needed to be able to parse all of that data in a way that provided actionable pathways for change in a way that could also be efficiently and clearly communicated to key stakeholders higher up the chain.

The Experience

FINDING EFFICIENCY AND SCALE TO DRIVE
HUMAN RISK MANAGEMENT

With his initial view into the data, Dan was able to find high risk areas to then focus his team’s efforts to mitigate risk to the organization. This test proved to be worth the effort to scale this approach for easier measuring, reporting, and decision making going forward. Dan chose Living Security’s Unify Insights human risk management solution to help with this initiative at VillageMD.

Unify Insights allows Dan to not only focus on which departments are exhibiting the most cyber risk, but it provides him with the intelligence and context he needs to focus on what to do with the information. For example, he notes “90% of the risky activities by the VillageMD workforce have a legitimate business reason for them”. Unify Insights helps Dan have the context he needs to discuss the risky behaviors, present the business reasons on why this behavior needs to change, and what actions the security organization can take to mitigate this risk.

“Traditional security and awareness is one of the few departments on the security team that didn’thave any really good technical tools. And so for the first time with Unify Insights, you’re empoweringthem with the data that you already have. I believe human risk management is the future oftraditional security awareness, and we are excited to be on the leading edge of that.”

ABOUT LIVING SECURITY

Living Security is a cybersecurity training company, working to reduce cyber risk through impactful, human-focused training.

Living Security’s focal point is decreasing human error–the greatest cybersecurity risk enterprises face–through immersive and intelligence-driven training solutions. Their science-based approach drives user engagement and reinforces positive security behaviors, integrates threat intelligence to train on the most relevant user-facing threats and delivers metrics that enable companies to measure the effectiveness of the program.

More About Us
Download a PDF of this Case Study