A Fireman? A Princess? How About a CISO?

A Fireman? A Princess? How About a CISO?

As children, we don’t dream of becoming a CISO, but yet we still have them. What is it a security professional can learn or even show, to demonstrate that they’re getting ready for the position of a CISO?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@CSOAndy), operating partner, YL Ventures. Our guest is Paul Connelly, former CISO, HCA Healthcare.

Got feedback? Join the conversation on LinkedIn.

HUGE thanks to our sponsor Nightfall

Nightfall is the leader in cloud data leak prevention. Integrate in minutes with cloud apps such as Slack and Jira to instantly protect data (PII, PHI, Secrets and Keys, PCI) and prevent breaches. Stay compliant with frameworks such as ISO 27001 and more — all powered by Nightfall’s industry-leading ML detection.

Full transcript

[Voiceover] Best advice I ever got in security. Go!

[Paul Connelly] The best advice for me was start with the mission of your organization and make sure that you’re connecting your program to that mission. I’ve worked in healthcare the last 20 years, and it’s all about taking care of patients, and my program ties to that.

[Voiceover] It’s time to begin the CISO Series Podcast.

[David Spark] Welcome to the CISO Series Podcast. My name is David Spark. I am the producer of the CISO Series. And joining me, my cohost, it’s Andy Ellis. He’s the operating partner of YL Ventures. We’re available at cisoseries.com. Andy, why don’t you say hello to our nice audience?

[Andy Ellis] Hello, to our nice audience, and hello to the rest of you as well.

[David Spark] The not so nice audience?

[Andy Ellis] You never know. I should be inclusive.

[David Spark] That is a good point. We should be nice to the people who are nice to us and the ones who are not. Before we go on any further, I do want to mention our sponsor, Nightfall AI. They are DLP simplified and data protected. You’re going to want to look to them for your PII, PHI, and pretty much all your sensitive data needs. More about exactly what they’re doing later on in the show. Now, Andy, live events are back. I’ve gone to a bunch. We’ve done live recordings already in a bunch of cities. We’ve got a ton more planned out for 2023. We all kind of enjoy just to meet our fellow colleagues, but what is it that you get out of a live event more than just, “Hey, this is fun,” and seeing my friends, and connecting.

[Andy Ellis] Well, hopefully I did some book signing. I always have to bring it back to the book.

[David Spark] Always have to bring it back to the books.

[Andy Ellis] So, for me, the live events give you a better connection when you are trying to share content. Whether it’s a book, or your talk, or whatever it is. I just find being in a room with people and being able to talk to them, you hear better. They hear you better. And so that’s really what I’m looking forward to. I think we’re going to just miss each other in Denver in a couple of weeks because we’re both doing the same event. I’m just on the last day, and you’re on the first day.

[David Spark] Are you not going to be there on the first day?

[Andy Ellis] I probably will be flying in the end of the first day, maybe even the next day. So, we’ll see.

[David Spark] Actually in fact this episode is going to air exactly two weeks before. Well, it’s bring on our guest. I’m very excited to have this person on. Recently retired. Literally just over a week. Not officially a CISO anymore.

[Andy Ellis] Congratulations.

[David Spark] He’s been doing it for quite a long time, but he’s actually going to be going to the board level. We’re actually going to be talking about that on this show. Very excited to have him on. It is the former CISO for HCA Healthcare, Paul Connelly. Paul, thank you so much for joining us.

[Paul Connelly] Thank you. Good to be here. Yeah, 29 years as a CISO, ended on the 7th of April.

[David Spark] Wow.

[Andy Ellis] And congratulations. That’s an amazing accomplishment. I only lasted 21 years in the gig, so you beat me by 8 years.

[David Spark] 29 years ago, did you officially have the title CISO? Because I don’t know if that title existed, did it?

[Paul Connelly] It did not. I first became they called me the ISO, Information Security Officer, back in 1987 at the White House. And was nine years there. Then did some time as a consultant and then 20 at HCA Healthcare.

What would you do if you were the CISO?


[David Spark] It appears to me that physical security is being consumed by digital security. It is the long discussed topic of convergence. A few years back, I attended a physical security conference, and I noticed the following – one, the people in the industry are much older than those in cyber. And two, physical security’s understanding of cyber is little to zero. And three, the sessions they had on cyber security at the conference were all 100-level education. Plus almost every physical security device has a digital component that is gathering data that must be secured. Given all these factors, it seems inevitable that physical security must be rolled up into cyber. Both of you have held CSO roles that cover both domains. Referring to the title of the segment, if you’re a CISO about to become a CSO, what landmines should they be wary of? What don’t CISOs know about physical security that they should know before they get into any trouble? Andy?

[Andy Ellis] So, I think the first thing you need to be aware of who actually does own physical security because it might not actually be you even if you own governance. You might be the CSO, but facilities probably actually owns an awful lot of the physical security, and they don’t necessarily like you or want to talk to you.

[David Spark] [Laughs] By the way, is this from personal experience, Andy?

[Andy Ellis] I’ve had partners in the physical security side who loved me, and I’ve had partners who really wondered why I was the one who briefed the board on their work. The answer was if it wasn’t me, nobody else was going to because their other path to a C-level executive was like five hops in a management chain whereas they had a dotted line to me. And so yes, I got the credit for work that they did, and it was fantastic work, and I really appreciated that. So, that’s the first thing to be aware of. But the one thing that I think most people really don’t get is that physical security far more than information security interacts with humans continuously. And the number of times that people do not do user stories… I can recall putting in a bicycle cage and just trying to tell the story of how users would interact with the bicycle stage, and the stairwell into the building, and the badge readers. And this is something that in the physical world, they didn’t really do. This concept of user stories… Which anybody who’s worked in an agile programming environment, you’re like, “Oh, yeah, I totally understand that.” Was just novel.

[David Spark] So, what do you mean? I’m sorry, excuse my ignorance here. What do you mean by user stories?

[Andy Ellis] When you’re doing physical security, sometimes you get the easy thing like you’re securing a building that has no humans in it. Those are fantastic. It’s all technical controls. But almost everything else, users are continuously interacting with your security controls. They’re not passive controls that are sitting somewhere else. They’re physically interacting with whatever you do. So, every piece of friction you put in, they are your biggest adversary. Because you’re being their adversary. They’re trying to physically get to their desk, and you made it harder. What do you think is going to happen? The other thing I would recommend is always make sure you maintain the confidentiality of security logs from HR.

[David Spark] All right, good point. Paul, I throw this to you. Same exact question. Do you agree? What would you add to Andy’s story here?

[Paul Connelly] Well, Andy brought up a great point about the personal interaction. I asked for physical security. I was originally the CISO, and I asked that physical security be brought into our program because I could see the benefits of the convergence. But the one thing that I would add to what Andy said is that physical security is very local, and cyber security tends to be more enterprise focused. So, it’s an interesting dichotomy that I’ve been working for this big Fortune 100 company, so we’ve got these big cyber security initiatives that address the whole enterprise, and day to day, little… I shouldn’t say little. Tactical issues come up at the hospital level, at a clinic level, and so forth that are physical security related that you have to address. I would say that’s the biggest road mine. After requesting it, I don’t think I realized how much day to day stuff comes up on the physical security side that you have to address if you’re the leader.

[Andy Ellis] Maintenance of automatic door closers.

[Paul Connelly] Yes, who’s in visitor parking.

[David Spark] But I got to imagine that’s sort of mentally draining because you’re dealing with all these human personal requests. To what you said, Andy. But going back to you, Paul, how can you sort of maintain your attention to all security if potentially all these individual physical security issues are consuming your time?

[Paul Connelly] Well, a lot of it is building the program so it’s not consuming your time, and you’ve got the right people in place, and the right processes. But to kind of flip the issue on the other side, the reason that I liked having it is because that personal interaction helped on the cyber side as well. It gave us more of an end user connection that we might not have had otherwise on the cyber side.

How have you actually pulled this off?


[David Spark] On this show, we talk a lot about varied responsibilities of a CISO understanding their business, budget control, communication to the board, and different department, understanding and managing risk, recruiting strategy, people management, legal and regulatory issues just to name a few. But security professionals usually start out technically and don’t get any of that training. And from every CISO we’ve had on this show, everyone has taken a different path. So, my question is what are some suggested ways a security professional could either learn any of these skills and/or demonstrate that they actually have these skills to the people who would care? Paul, what would you suggest?

[Paul Connelly] Well, I think one thing that’s different… And I know this kind of gets away from your question. But I think today, people who view their future of being a CISO, they recognize they have to have these skills. So, they’re trying to learn them.

[David Spark] Especially if they’ve listened to this show.

[Paul Connelly] Yeah. Back in the day, I think a lot of people thought they would just be kind of technical IT folks. So, that’s part of it is knowing that that path… But the key thing is to me, very early on I had some great mentors who came from the business side of the organization. They were not the technical folks. And they did everything from help me get opportunities to speak in front of crowds, to giving me sometimes really frank feedback. Things that helped me sort of build and give me opportunities to build those other kinds of skills. So, I’ve never been a super technical CISO. I’ve always actually felt like those other skills were my bigger strength. I think a lot of it goes back to having those mentors work with me.

[David Spark] Andy, answer either question. How would I develop them, or how would I show those skills, that I’ve got those sort of ready to be a CISO skills? Either, again, training or showing.

[Andy Ellis] So, I think you’re going to do the same action for both of them. What you’re going to do is you’re going to find the business partners whose primary responsibility might be the skills you need to develop. Your HR business partner, your recruiters. Honestly anybody that you’re in regular meetings with who’s also a peer stakeholder. For me it was somebody in our professional services organization, and so I’ll use this as an example of how to both learn and demonstrate the skills. Which is when they bring up an issue in a room that you’re in, listen carefully and ask yourself one question – what is true about their motivations that makes them bring this up. Because answering that question is how you develop the skill. Because you’re like, “Oh, the professional services team is worried about the cost of implementation of any changes.” Whether it’s a security change or not. They have to go talk to all the customers and make changes. And once you have figured out what motivates them, you can now advocate for them. And you’re now demonstrating that you have the skill. That’s the business skill. And you can say, “Look, I don’t want to put words in so and so’s mouth, but I’m pretty sure this solution isn’t going to work because…”

And give the reason. Now, first of all, you have just made an ally in the room because the person who thought they were the only one speaking up who cared about this problem is like, “Whoa, I have a partner on the other side of the business who is saying that they won’t accept solutions that hurt me.” So, you’re building a friend, building an ally. But at the same time, you are learning how to run their organization. Not at a detailed level, but you’ve just demonstrated to people, “Oh, this person understands finance, or professional services, or whatever.” So, ask people. If you don’t understand why certain things come up, ask for one on one and say, “Hey, in this meeting you brought this topic up, and I don’t understand it. Could you explain it deeper for me? Because I don’t want to make you have to in a meeting explain yourself over and over again. So, I’d rather nip those in the bud.”

[David Spark] Very good example. Paul, is this something you did early on? Or I’m assuming that’s something that a CISO must just do all the time in terms of identifying why they’re bringing up issues.

[Paul Connelly] Yes, absolutely. Going back to that first question you asked me, that’s one of the things that I learned very early on is that you’ve got to be able to answer the why and do it in terms that the individuals, the audience you’re speaking with, understand and connect with.

[David Spark] And so it’s your job to essentially bring your knowledge to whatever their concern is.

[Paul Connelly] Yes. Absolutely.

Sponsor – Nightfall


[David Spark] Before I go on any further, I do want to mention our sponsor, Nightfall AI. So, here’s a big wakeup call. Did you know that employees share five times more AWS keys in Jira than GitHub. That’s what today’s sponsor, Nightfall AI, used by leading organizations such as Splunk, Exabeam, and Oscar Health…that’s what they’ve found in a study they conducted in 2023 across thousands of enterprises. This highlights the growing problem of secrets and keys leakage in the Cloud. Not just in code hosting software but across other applications like Jira, Slack, and Microsoft Teams.

Nightfall helps you protect these secrets by integrating next generation Cloud native data leak prevention directly with the applications. Nightfall is agentless and leverages the most recent advantages in AI, enabling you to focus on the risks that matter most. With Nightfall’s data security and compliance platform, you can find and protect your business’ most sensitive data such as PII, PHI, financial, and proprietary data. Data security not only builds customer trust, it helps you stand out as a security leader and stay continuously compliant with leading frameworks including HIPPA, SOC2, ISO27001 and many more. Go visit their website. Nightfall.ai/cisoseris. To learn more and get 25% off your first year’s subscription cost, that’s nightfall.ai/cisoseries.

It’s time to play, “What’s worse?”


[David Spark] Paul, are you familiar with this game?

[Paul Connelly] I’ve watched it in a couple episodes, yes.

[David Spark] All right. So, two horrible situations. You’re not going to like either. But you have to tell me from a risk perspective which one is worse. I always make Andy answer first. If you disagree with him, I win. If you agree with him, he wins. No pressure there at all whatsoever. All right, this is a simple and quick one. This comes from Matthew Biby who is the CISO over at Satcom Direct, and here are the two scenarios, Andy. Scenario number one, constant management turnover in the company but not security. Or a constant turnover of the security team but not management. Which is worse?

[Andy Ellis] There’s so many secondary effects that this one is going to be challenging because it’s actually an easy call depending on the secondary effects.

[David Spark] But yet we don’t know what those are.

[Andy Ellis] So, I’m going to approach it from the security perspective and assume the constant management turnover is not driving the company into the ground since that wasn’t specified. Because obviously that’s the worst outcome, but let’s not go with that. I’m going to say the constant security turnover is probably what’s worse. The reason for that is is that security is a control system. Think of it as the company is investing in a control system that is damping down risk over time. And so when things pop up and there’s new problems, you have a security team that is solving them. Back to our earlier conversation about just dealing with physical maintenance of security controls.

When you have a new problem, you don’t go to your board and say, “Oh, the automated door closer isn’t closing correctly. Can I have 50 bucks to solve this?” They’re like, “You have a budget. Just solve these problems for us.” And you have to have that institutional knowledge and that sort of continuity to have your program continually get better. If you’re just throwing out your security program every week because of the change that’s happening where you’re not getting anything done, you’re basically just running around slapping band aids on problems except the next person comes along and says, “Oh, I didn’t like those band aids because they were Thomas the Train band aids. I’m going to put on Disney Princess band aids.” And they’re going to slap on theirs. And it’s just going to be crazy, and you’re not going to deal with any systemic risk.

[David Spark] All right, good argument. I can see the other side. The question is does Paul go for the other side. Paul, where do you stand?

[Paul Connelly] David, I’m sorry, I have to go with Andy on this.

[David Spark] [Grunts]

[Paul Connelly] I was tempted to say that a lot of turnover in senior management means that you’re constantly restarting and building credibility, and teaching, and building up. But I would worry more about the constant turnover on the security side which could be an indication that you’re not getting the leadership support. It could be the board support, those kinds of things as well.

[David Spark] So, maybe you need constant turnover on both sides.


[Andy Ellis] Well, the bright side is if you’re not having the turnover on the security team, at least the new management isn’t cutting your budget such that you’re losing people. They’re probably just ignoring you. They’ve got other fish to fry. You’re just making progress.

[David Spark] There you go. So, I’m sorry, continue on, Paul, your argument as to why you chose the second option. Again, the worst scenario being the constant turnover of the security team.

[Paul Connelly] A lot of what Andy said I completely agree with. And if you think about it, most large…especially large organizations, it just takes time to build the credibility to understand the people, to understand the business. And if you’re constantly having to restart that process, I just don’t see how you can really achieve the long-term goals.

[Andy Ellis] And here’s the challenge for our listeners, which is as a mental exercise figure out how long it takes you to deal with turnover. So, one person who exits the business, how long does it take you to write a new job description, post it, get a person into that role. How many manager hours go into interviewing? Not just managers but all their peers who might be part of that process. And then how long are they in the job before they’re up to speed and producing even reasonable value let alone the amazing value that people will get to after they know the whole organization. And just write that number down of not just how many hours you lost from them not being there but how many hours you consumed replacing them. Single biggest productivity and efficiency drain in a security team is letting somebody go that is regrettable. If you regret that they walked out the door, you should figure out how you keep them from walking out the door before they open it.

[Paul Connelly] Yeah, it’s a million dollar mistake.

Question for the board.


[David Spark] Paul, now that you’ve left the CISO role, you are becoming a board member. Having cyber security knowledge, especially your level, is very desirable. The board just “being aware of cyber security” is not enough. In researching this topic I stumbled across a couple of checklists from the Carnegie Endowment for International Peace and Deloitte that had a lot of questions for the board to ask themselves if they’re addressing all necessary cyber security issues. Questions such as has your organization quantified its cyber exposures and tested its financial resilience. Is there a periodic review by the management to update the crown jewels changed during a given period of time or due to disruption? So, I’ll ask you, Paul, does the board ask questions like this without having cyber knowledge present? What have you seen from boards, and what would you want to change now that you’re becoming a board member?

[Paul Connelly] I should clarify that it’s a work in progress. I’m working on becoming a board member.

[David Spark] It’s getting there. I feel confident.

[Paul Connelly] Yes.

[David Spark] [Inaudible 00:21:52] advertised. Paul is up for hire as a board member.

[Paul Connelly] Going back to your question, I have definitely seen those types of questions in recent times coming from my company’s board. And they don’t have someone who I would call the designated cyber security specialist. But what we’ve tried to do over the years is slowly build the knowledge and we feed information. We’ve done tabletop exercises with our board. So, their level of knowledge has come way up. So, that’s a real positive thing where companies see that happening. I can still see companies, especially companies that are in critical infrastructure industries, that they would want somebody on that board who really knows the day to day nuts and bolts of how a program needs to run so that they can go peel back the layers of the onion and get to the deeper oversight.

[David Spark] Andy, what’s your story in terms of working with the board and cyber security knowledge? I know you’ve spoken about this before and things that you’ve said before is that the CISO can’t be the only one educating the board because they just operate on what knowledge they had previously.

[Andy Ellis] Right. And a little bit of knowledge can actually be a dangerous thing here. I think boards are starting to get educated, but I think they’re starting to learn the words, and they haven’t yet figured out how that’s going to change the dynamic in the room. And so my recommendation for a CISO is if you have a great relationship with your CEO, you should strategize how you’re going to manage and educate the board together so that your board is coming up to speed, and you should be asking the questions what should we be telling the board conceptually. Don’t talk about specific risk problems yet because you’ll get into a fight over them. But conceptually what is important for the board to understand.

[David Spark] Can you isolate one example right there? Like what’s a conceptual thing we would have to get across to the board?

[Andy Ellis] So, here’s a concept I love. And not all boards are ready for this. What is the biggest security risk that we’re living with. Because that level sets everybody. Now, there’s a lot of management teams that don’t want to have that conversation because now you have documented, A, well, here’s the biggest risk. And when it goes south, everybody is going to say, “Oh my God, we should have fixed that one.” But there’s always going to be a biggest risk. And so maybe that’s a conversation to have is are we going to talk about that in the room. Because we can try to go fix that one, but then there will be a next one. And if you have a board that’s going to demand that you work on these projects then you don’t want to expose those risks to them. You just want to expose them to senior management and say, “Hey, here’s what we’re living with. These are the right tradeoffs given the budget that we’re within.” But even having agreement on what conversations can happen in the board room is something that boards, CEOs, and CISOs need to be aligned on.

[David Spark] Paul, with someone with your pedigree in cyber security… I mean 29 years. I don’t think we’ve had anybody at a senior level for 29 years on this show. I don’t think I’ve met any, so congrats on that. What is it that you would be able to provide differently that the boards that don’t have that kind of thing…because I’m pretty sure nobody does…can’t do right now? And I’m setting this up, allowing you to be a little egotistical here. So, go for it.

[Paul Connelly] Well, I do think that there is a credibility that comes with the kind of experience that Andy has had, that I’ve had, that’s a lot different than somebody going and spending a weekend and getting a certification. And one way that I look at it is I look at companies, organizations as kind of on a sliding scale. And at the top of the scale are the critical infrastructure organizations where cyber security is core to their business. It’s got to be done right for them to function. There’s lots of companies that are lower down on that scale that might not need an Andy, or a me, or someone like me to be on their board. But those companies where it’s critical I think you’ve got to have somebody who’s been there, who’s gotten the 3 AM phone calls, who knows how to respond when something is going south. Somebody who’s been through the budget battle and weighed the pros and cons of different investments and was able to justify the right approach to take. It just feels like it’s sort of that wisdom. I hate to say. [Laughs] Maybe I’m being egotistical, as you said. There’s just that credibility that comes from having been there and done that if that makes sense.

[David Spark] Well, and also you might have that… You’ll get that moment where you would be at an equal level with the CISO of the organization, unlike the CISO trying to explain to everybody like, “Can we all get on board here?” And instead you’d be like, “No, what he or she is talking about is right.” There’s that sort of equal moment which most boards don’t have. Am I right or wrong here, Andy?

[Andy Ellis] No, I think you’re very right. A lot of boards are sort of deer in the headlights when the CISO walks out of the room. It’s like, “What was the context for that? Should I be terrified, or should I not be terrified?” And so the biggest benefit of having a former CISO on your board or having even a board advisor who’s a CISO… I think that’s becoming a more common thing that some boards are looking at, which is having an outsider who’s not a director but is a CISO to advise them, is to provide that context that the CISO is carrying in their head but doesn’t always know how to communicate to the board, and the board doesn’t always have the context to communicate it to themselves.

[David Spark] Last thought on this, Paul?

[Paul Connelly] I agree. And even though the level of knowledge of boards or at least through the experience that I’ve had is the level of knowledge has been going up steadily in this area, there is still…it just does not replace having that experience of being in the seat in the past and being able to connect it back to the other things that the business is doing and recognize how it ties into other parts of the strategy as well. Because I think a successful CISO is at the table for the organization involved in all kinds of strategic discussions. It’s not just a 15-minute update on cyber. It’s having somebody who’s there, who’s going to recognize, “Hey, this merger and acquisition is going to bring this kind of risk or this other strategy.”

Walk a mile in this CISO’s shoes.


[David Spark] Many of our listeners are aspiring CISOs. Some are actually already CISOs. On CSO Online, Jaikumar Vijayan wrote an article entitled “Five Ways to Tell You Are Not CISO Material.” So, it’s a very clickbaity title, and guess what? I clicked. All of these subjects of the five ways are topics we’ve discussed in great detail on the show, and the five are being risk averse, wanting to do it all, you don’t like business speak, you can’t sell security, and you’re being overly technical. I’ll start with you, Paul, on this one. Which of these was the hardest for you, and what’s your advice for methods to deal with any of these issues?

[Paul Connelly] I agree that all five are kind of showstoppers. I think that probably the biggest one I’ve always struggled with is the second one. They’re wanting to do it all. When you’ve got the full view of the risks and where you’re vulnerable, where the threats are coming from, it can easily make you feel like we’ve got to do everything right now. And it’s just not humanly possible, and you’re not going to last a year in the role if you try to do that. So, it’s a matter of being able to prioritize and figure out where you put your chips first and work your way through it that way.

[David Spark] Yeah, we have heard this a lot. That you should be satisfied with good and not perfection because it’s close to impossible to get there. Andy, what has been the hardest for you of all of these?

[Andy Ellis] I don’t know. I’m good at all of these. No.

[David Spark] [Laughs] Hey, I didn’t say you could be egotistical.

[Andy Ellis] So, seriously the being risk averse. I think this is the biggest challenge for most security professionals is we think we own risk. In fact that language was even used in Jaikumar’s article. He talks about you need to be comfortable owning risk. No, you actually don’t. What you have to be comfortable with is that your business owns risk and that you don’t get to come in and tell them to stop doing that. And that’s the tension that is the hardest thing I think for most aspiring CISOs to really come to terms with, which is your job is to help the company make wiser risk choices, not to stop the company from making risk choices at all. And for me this actually came to a head… I got my wish… The thing that every CISO got told 15 years ago… We were told that you should be an approver of the product launch process so that unsafe products don’t get launched. And I got that wish. We had a new head of products who’d come in. He’s like, “Yes, Andy, I want you in the room, and you can say no.”

And the first time I said no, which was frankly pretty well justified given that it was a product that hadn’t talked to my team at all or me, never seen a design document… And so live, I’m being asked to approve it. And I’m like, “No, I don’t approve it. The risk presented here… I can’t figure it out.” And they’re like, “Well, how quickly could you figure it out?” And I’m like… And we ended up into this whole battle because it was now my job to figure out whether this was safe to go out in real time. And then the trump card of are you going to hold up this product that might be worth a billion dollars. And to the listeners, it wasn’t actually worth a billion dollars.

But that was the tension. And when I learned to let go and say, “Look, my job is to teach you how to assess risk. I’ll provide experts that will help you assess the risk. But at the end of the day, it’s the president of products who decides if this risk is acceptable, not me. And all I’m going to do is tell them whether or not you’re lying to him.” And when that became my job, oh my God, it was so freeing. But now we started taking risks, and we were conscious of them. We weren’t hiding the risks. And I will tell you, once everybody had to be aware of the risks and they were writing them down, they became very eager to start fixing them. Because they couldn’t just pretend it didn’t exist, that it was something the crazy security people had brought up. They were the ones who had written it down.

[David Spark] I’m throwing this last comment to you, Paul. I like this scenario that Andy said. How well did the risk discussion happen over time for you? I’m sure it’s greatly improved over time, yes?

[Paul Connelly] Yes, absolutely. And, Andy, that is a fantastic point that you made. I couldn’t agree more in terms of how it changed my role when business leaders started taking ownership for the decisions that they were making, and my role became the advisor, the trusted advisor who helped them avoid making bad decisions. But at the end of the day, it’s all about making thoughtful decisions that take risks into account. And there have been many times where I walked away from the table swallowing hard saying, “I wish we hadn’t made that decision, but at least it was talked through, it was thought through.” And the overall business strategy won out at the end of the year.

[David Spark] And is there something that’s kind of physically done to say, “All right, I’m owning the risk. I’m writing it down. I saw this. I accepted it.” Does anything like that happen? Not from your side, from the business side?

[Paul Connelly] We do have a process where it we’re not following a standard or a policy that we’ve set and we’ve gone through that discussion, and we’ve arrived at a conclusion that we just can’t do this… Maybe it’s in our case a pressing patient care issue that we’ve got to address. We do document it, and the business leader signs up to it. When we started that process where they were putting their name down, that really elevated the whole discussion in terms of the priority that they were giving to the decision. So I think it was a good process, and that’s just been part of the evolution. Kind of the maturing of that whole decision making process.

[David Spark] Andy, did you want to say something here?

[Andy Ellis] I think that’s… What’s most important… A lot of people get fixated on document it and write it down, and that’s important. But the most important part is that the person who owns the risk, which is usually the person who owns the reward – the product owner or whatever – that they’re the ones who wrote it down. It’s not in your slide deck. It’s not in your Word doc. It’s in theirs. They have to have the memory that they wrote it down and that they shared it with someone. Because now they own it. It’s not just you trying to snipe at them after the fact.

[Paul Connelly] Agree. They also lay out what their plan is going forward, what’s the long-term plan to address this risk as well.



[David Spark] Well, that brings us to the very end of this very episode. I want to thank our guest, Paul Connelly, the former CISO over at HCA Healthcare. Paul, I’m going to let you have the last word. Hold tight. Huge thanks to our sponsor, Nightfall AI. Remember, their website, nightfall.ai/cisoseries. If you go there, you can get 25% off your first year’s subscription cost. So, check it out and save some money and protect your darn data. Why not? Andy, thank you as always. We are recording this on the 17th of April. Tomorrow…

[Andy Ellis] Yes!

[David Spark] Your book officially comes out.

[Andy Ellis] It does.

[David Spark] Do you have actually a book signing tomorrow?

[Andy Ellis] A very small one. Just a couple of very close friends.

[David Spark] Of close friends. But are you going to a local bookstore at all?

[Andy Ellis] Yeah, I’m currently working out the arrangements for that. That’s not going to be a launch day activity. And if anybody who’s listening does want to get a signed copy, if you go to csoandy.com, you can look right there how you can find me to get a signed copy.

[David Spark] If you’re in Denver… Because this is going to be two weeks before that. He will be signing in Denver as well.

[Andy Ellis] I’ll be signing in Denver, and I’ll be signing in Richmond, Virginia for RVA Sec the week after.

[David Spark] Excellent. And, Paul, any last words that you would like to have on our topic? Your future as a board member or anything else.

[Paul Connelly] Well, I’m hoping that that’s a trend that we’ll benefit from and that we’ll see continue to grow, adding that kind of expertise to our boards. Andy, great being on this with you, hearing your perspectives. I will be going to your website as soon as we hang up here.

[Andy Ellis] Awesome. Thanks, Paul.

[David Spark] Paul will be a trendsetter on boards. Watch out for him. It’s happening. Thank you so much, Paul. Thank you so much, Andy. And thanks to our sponsor, Nightfall AI. So thrilled to have them on board. Remember their website, nightfall.ai/cisoseries for 25% off your first year’s subscription cost. And I want to thank our audience as well. We greatly appreciate your contributions and for listening to the CISO Series Podcast.

[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, cisoseries.com. Please join us on Fridays for our live shows, Super Cyber Friday, and Cyber Security Headlines – Week in Review. This show thrives on your input. We’re always looking for more discussions, questions, and “what’s worse” scenarios. If you’re interested in sponsoring the podcast, check out the explainer videos we have under the sponsor menu on cisoseries.com and/or contact David Spark directly at david@cisoseries.com. Thank you for listening to the CISO Series Podcast.