Christopher Frenz – AVP of IT Security for Mount Sinai South Nassau
Christopher Frenz is the AVP of IT Security for Mount Sinai South Nassau.
Previously, he was the AVP of Information Security for Interfaith Medical Center where, under his leadership, they became one of the first hospitals to achieve a zero-trust network architecture. Frenz is a widely sought-after healthcare security expert and his expertise has been widely featured in numerous publications and conferences from around the world.
He serves as the Chair of the AEHIS Incident Response Committee and is the leader of the OWASP Anti-Ransomware Guide and OWASP Secure Medical Device Deployment Standard projects.
Frenz has won numerous industry awards for his security contributions with the most recent being honored as a Healthcare Hero by CHIME for his work on helping hospitals withstand the onslaught of cyber attacks that occurred during the COVID pandemic.
What is your overall approach to information security?
I am a huge proponent of taking an evidence-based approach to information security and not focusing on compliance alone. Compliance with security standards is a great starting point, but it is important to keep in mind that standards are to establish minimum baselines and not end goals. Seeking to achieve compliance alone, is like striving for a D grade in a class whereby you may pass but it is not necessarily indicative of a job well done. It’s time we began to move beyond measuring our security programs in terms of compliance alone and to take a more evidence-based approach to how we do security.
As security professionals we need to begin to develop ways to empirically measure which controls work to protect our environment against a given threat and which do not. I’m an advocate of routinely simulating security threats and using the results of the simulations to empirically determine what controls work within my environment, what control areas need improvement, and what controls may actually prove detrimental to security operations.
Based on the results of such simulations, more informed decisions can be made about how security can be improved and, through repeated testing, improvements to security can be quantitatively demonstrated.
How can security executives get that “buy-in” from the top?
While technology is often a key component in security, CISOs must keep in mind that security is primarily about the management of risk. Technology and the controls that it can provide are a frequent way of mitigating risk, but risk is a business decision and not a purely technological one. A good CISO will take the time to learn and understand the vertical in which he/she works and will partner with other organizational leaders to help the business achieve its goals in a way that ensures the risks to the business are kept within an acceptable level.
This understanding of the organization’s business goals is also crucial for the CISO to get buy-in for his/her own initiatives as those initiatives can be explained in terms of how they will benefit the organization and help the organization to better achieve its goals. For example, in healthcare, patient safety is the primary goal of any organization.
Organizational leadership within a hospital may not be interested in the intricacies of DDoS protection, but they are interested in reducing incidents of adverse outcomes, and maintaining the uptime of clinical systems is a key contributor to that end. Explaining initiatives in the context of the business goals they will help promote is key for getting buy-in on security initiatives.
Almost everybody agrees that organizations need a culture of security. How can security leaders facilitate that type of culture?
Every security leadership role involves some elements of being an educator. It is critical that security leaders understand the business vertical they are in and use that knowledge, along with their knowledge of security, to educate others as to what cybersecurity risks the business faces and why certain controls are required to mitigate those risks. I am also an advocate for security leadership going beyond just basic explanations of risk and risk mitigations and organizing table tops and other types of simulated security exercises.
These exercises are not only a great way to identify potential deficiencies in controls and in incident response processes, but are also a great way to get other organizational leaders to think about and understand the potential impacts a cyber attack could have on their business unit. The more understanding that people have that a cyber attack has the potential to negatively impact the part of the business they are involved in, the more likely they are to become accepting of the fact that at some level security is the responsibility of everyone in the organization and not just an IT or infosec responsibility.
Ransomware and phishing are among the risks that have threatened all industries recently. From your perspective, how should companies mitigate these risks and what has worked for you?
I believe that network and security architectures need to be designed with the mindset that any device has the potential to be compromised at any time. No matter how diligent we are at security, no system can ever be made 100% secure and there will be the eventual compromise of an endpoint or other system on your network. As such I have become a proponent of striving for zero trust architectures whereby communications between devices are limited to just what is essential to function and nothing else.
If we look at many of the disastrous ransomware attacks that have hit organizations, one of the common contributors to the success of the attack is a flat network architecture whereby one infected device can rapidly spread into a network of infected devices. Zero trust architectures and the high level of network segmentation they provide, make the lateral movements of threats significantly more difficult and help keep the eventual compromise of system as contained as possible.
How can CISOs / Leaders balance security and innovation?
As mentioned above, I am a proponent of taking an evidence-based approach to security and a proponent of routinely testing the efficacy of the control sets that are deployed. For example, my advocacy for zero trust architectures grew out of a simulation of a mass malware attack on a hospital in which it was learned that network segmentation was a highly effective control at stopping the spread of an attack.
While the exercise showed the efficacy of the control, it also demonstrated that the in place segmentation (by department) was not fine grained enough to meet the needs of the organization, because a hospital cannot afford to have an entire clinical department brought down by ransomware or a like threat. This is what gave the impetus for adopting a network architecture with a zero trust mindset.
Through taking such repeated evidence-based approaches towards security decision making, the organization was able adopt very robust security practices and control sets that allowed for the rapid, but secure, adoption of technological changes to meet organizational needs. This was well illustrated during the COVID pandemic when hospitals faced a sudden and urgent need to expand remote access and telehealth.
All of the past efforts and architectures developed to facilitate zero trust allowed for the rapid deployment of these technologies while still being able to maintain a zero trust architecture and the security it provides. The security strategy that an organization adopts needs to be one that is robust enough to not only meet the changing technological needs of an organization, but also the ever-changing threat landscape an organization faces. Repeated testing to validate that security changes keep quantifiably improving the security of the organization is a great way to ensure that such robust but flexible architectures are established.
How has industry cooperation made an impact on cybersecurity?
Industry cooperation has been an essential to the advancement of cybersecurity. If we are to keep improving the state of cybersecurity it is critical that we continue to share information with regards to the threats we face as well as best practices to combat those threats. This sharing not only needs to occur within industry verticals, but also between industry verticals. While many organizations have often been hesitant to share security strategies and information, it is important for us as security professionals to remember that we are all in this together and all have the common goal of keeping our organizations and the people they serve safe.
One of the major lessons we should all be taking away from the recent SolarWinds breach is how interconnected we all are and how one person’s security problem can rapidly become everyone’s security problem. We need to all collaborate and work together. One quick visit to a dark web hacking forum and it becomes evident that malicious actors share strategies and intelligence. We need to do the same if we are to stay one step ahead.
Cybersecurity is a challenging and dynamic field that requires practitioners that are always open to learning new things and to conquer a never-ending set of challenges. Nevertheless, as a healthcare security leader, it can be an extremely rewarding field to know that the work that we do every day helps to protect not only patient information but also patients themselves.
Christopher Frenz – AVP of IT Security for Mount Sinai South Nassau