Outcomes Rocket Podcast_Matt McMahon and Brandyn Blunt: this mp3 audio file was automatically transcribed by Sonix with the best speech-to-text algorithms. This transcript may contain errors.
Saul Marquez:
Hey, everybody. Saul Marquez here with the Outcomes Rocket. I want to welcome you back to this amazing series on cybersecurity for health systems and organizations. In this podcast series we’re covering health leaders that were part of the Health Sector Workforce Cybersecurity Working Group on what they’ve done to help make cyber safety a better possibility for all of us. And today I have the privilege of hosting two outstanding guests. First, I want to introduce you to Matt McMahon. He’s an R&D lead and senior product manager for cybersecurity with Philips. He also works as a graduate adjunct professor, teaching coursework in cybersecurity and healthcare at Salve Regina University. Matt has been a cybersecurity subject matter expert for both MIT and Comp TIA. He currently leads two different cyber working groups with the Healthcare Sector Coordinating Council and regularly speaks on the topic of cybersecurity and healthcare at conferences, and around the world. We also have Brandyn Blunt with us on the podcast. He is a senior cybersecurity specialist for Cybersecurity Assurance, Governance, Risk, and compliance with the Cleveland Clinic. He has been a part of the Health Sector Coordinating Council since 2018 and has had the honor of being co-chair for the Workforce Task Group. Brandyn has also been a panel speaker on medical device cybersecurity, and he’s currently pursuing his master’s in legal studies in pharmaceutical and medical device compliance law. In this podcast, we’re going to cover cybersecurity talent, what it takes to get it, and also share with you a resource called the Workforce Guide and how it could help you with your recruitment and talent in cybersecurity. So with that, I want to welcome both of you, Matt and Brandyn, to the podcast. Thanks for joining us.
Brandyn Blunt:
Thank you, you’re welcome.
Saul Marquez:
So before we dive into the questions, guys, I’d love to find out from both of you, what inspires your work in healthcare cybersecurity.
Brandyn Blunt:
I’ll let you go first, Matt.
Matt McMahon:
Okay, no problem. I was doing the same. So I’ve worked in healthcare for a number of years now and probably more than ten. For me, it’s, you know, you’ve always had that satisfaction of working, so working in cybersecurity is obviously interesting and something that people that work in the field get really excited to kind of dive into the technical aspects. But it’s always been great working in the medical sector because, you know, you’re protecting such important technologies that literally save people’s lives. And if you look at any of the kind of healthcare cybersecurity stats out there, it’s really getting to be kind of the Wild West with just the volume of attacks and specific targeting of health, of the healthcare sector, the hospitals, and things like that, like the, you know, the takedown taking offline of hospitals with ransomware during COVID, which is, you know, pretty scary. So, you know, that’s really why I kind of stick with healthcare and have determined to kind of stay with healthcare, not just for the interest in cybersecurity, but because we’re doing good things, I feel like.
Saul Marquez:
Yeah, I appreciate that, Matt. Huge impact with that cross-section of both. And how about you, Brandyn?
Brandyn Blunt:
I’ve been in healthcare for most of my professional life. Even before I went into the cybersecurity field. I’ve been a part of emergency medical services working on an ambulance in the state of New York for many, many years. And when I decided to make a career change, I wanted to do something that still was challenging, it was fast-paced, and still something really fun to do, like being on the ambulance, but also I wanted to still make an impact and help patients. And that’s why I stay in the healthcare sector and have specialized in cybersecurity within this domain.
Saul Marquez:
Yeah, that’s fantastic, Brandyn. Certainly, high impact area, and oh, go ahead, Matt. Were you going to comment on something?
Matt McMahon:
Yeah, I was going to say that’s pretty cool, Brandyn, and I actually didn’t know, both of us apparently were EMTs, so I didn’t know that about you.
Saul Marquez:
Nice.
Brandyn Blunt:
Yes, I’m still certified, but I no longer am doing that work.
Saul Marquez:
So you were an EMT as well, Matt, huh?
Matt McMahon:
Yeah, many, many, many years ago.
Saul Marquez:
And, you know, there’s something about that like this being ready for sort of those surprises, being able to respond with agility. I think I’ve been interviewing a lot of the folks on the crew that have come up with a lot of these documents, and I noticed that about you all, is that you have this responsiveness about you.
Matt McMahon:
Thanks.
Brandyn Blunt:
Thank you.
Saul Marquez:
So it might be surprising, but at the same time, I’m like, hmm, that makes sense, it makes sense. And so on this topic of workforce talent, finding it, we’re struggling all across healthcare. I mean, from nurses to physician shortages, it’s a challenge, but this series is about cybersecurity. So talk to us about how hard it is to find cybersecurity talent and what is that looking like right now. I mean, is it a challenge?
Brandyn Blunt:
I would definitely agree and say that it is a challenge. I think it’s always been a challenge, especially with how the world changes from day to day and our perspective on what is talent, what are the requirements for somebody to get into this sector, no matter if it’s healthcare or finance or government? What’s the education requirements? Is there a standardization between certifications? What kind of certifications should someone have, and where those fit within either entry, mid, or senior level? There’s also, I think, different avenues within cybersecurity, more of a technical and a management side. So trying to find somebody who wants to go either path, and cost, to get into cybersecurity from an education standpoint, I know it’s definitely a big cost for higher education no matter what you’re going for as we all know, to go to some of these universities and with some companies, you have to do that because everybody is looking for these requirements that they want in a candidate that sometimes just doesn’t work. I’ve seen entry-level jobs posted out there, and I don’t know if you have, Matt, too, but looking for five-plus years with a bachelor’s and a CSSLP and other certifications, that really doesn’t mirror an entry-level position. So it’s hard to get somebody in there, and I think it’s time for us as an organization to start thinking outside the box, or as a sector, really.
Matt McMahon:
Absolutely, and I know in healthcare, obviously, healthcare tends to pay a little bit less than some of our other sectors, so banking, you know, comes in and is able to sneak some of our staff away. But on the medical device manufacturer side, one of the things that we’ve really struggled with and I’ve seen this across a couple of different companies is it’s not even just cybersecurity knowledge now, it’s knowledge of just a huge emerging tech set. When I interviewed for my current job, they wanted to validate that I had cybersecurity experience and certifications and training, but because of the role that I was going into, they also wanted cloud experience and AI experience because some of the products are AI-based, they wanted government experience to know that I can work with getting some of our products certified for maybe FEDRAMP or RMF. So a lot of our products are just, you know, especially as we’re moving into public health where the devices are kind of blending. It’s not just the medical device manufacturers, but now the Googles of the world are becoming medical device manufacturers are kind of coming into that space, not medical device manufacturers per se, but that personal technology that we’re incorporating into data that physicians are seeing, a lot of the roles are just really becoming these unicorns where if I needed to name two or three people, I mean, we’re putting out wrecks that if I had to look through my entire LinkedIn group, there might be two people that fill all the things that we’re looking to find. So it’s becoming really difficult.
Brandyn Blunt:
Yeah, and as we all know, cybersecurity as a whole is a very broad sector from no matter what area you’re working in. Medical device cybersecurity is, in my opinion, is relatively new with what I’ve seen and with even experienced people I’ve talked to out there, because now we’re just starting to look at getting security stacks and procedures installed on medical devices and in working with the manufacturers from a different perspective, from a healthcare organization or the manufacturer going to a healthcare organizations, trying to figure out how we make these devices safer. And it’s hard to find somebody too, in some ways, that has that split between a clinical side of knowledge and technical side of knowledge. Like Matt said, sometimes it’s like looking for a unicorn, but I think if we start looking outside the, you know, using outside-the-box methods, we can get there as a sector. I know it took me a very long time to break into cybersecurity because of the requirements I stated in the past. It took one director to take a shot at me and it worked out for the best, for both of us.
Saul Marquez:
Yeah, no, some great, great highlights, guys, it is difficult. And, you know, this whole concept of cybersecurity for medical devices is more new, and new requirements have come out of it. So it is sort of a, you know, a ubiquitous need, but it is newer in some of the segments that we’re used to, like med devices. So as organizations, both healthcare delivery organizations like on your half, Brandyn, Matt, you know, the medical device manufacturers as we’re all looking to attract cybersecurity talent and develop cybersecurity talent, what are some of the ways we could compete for this talent, especially when competing against big tech and finance?
Matt McMahon:
Yeah, I think paying the same is going to be difficult, certainly, in some sectors. I think leveraging the fact that we’re doing that really important work that it really, potentially can save lives. You know, I know that’s a big, big driver for me and a lot of others in the field. So if we can kind of leverage that, but we also do really interesting work. You know, some of the projects that I’ve been on, certainly at some of the big tech giants, you’re going to get involved in really interesting work, too, but some of the medical device manufacturers, and even a lot of the hospitals we’re seeing, some of their labs are just producing really interesting studies. I think that’s really one way to kind of get people interested, is kind of to show them healthcare is really the merging of several different emerging technologies into cybersecurity and into all these other roles, which I think is, I think that’s really one selling point. But to be able to get people in the door, I think to Brandyn’s point, it’s really important to put out good job descriptions that say, you know what, we’d like this basic level of cybersecurity competence, but this role does have a cloud component. We don’t expect you to both be a cybersecurity and cloud expert. We can send you to trainings and kind of grow you into that cloud role. So we need someone that’s willing to continue to grow but have a basic understanding of some of the concepts.
Saul Marquez:
Yeah, some great callouts. Brandyn, any thoughts from you there?
Brandyn Blunt:
Yeah, you know, I agree with Matt completely on his statements there. And we can also look at specializing in tailoring cybersecurity for healthcare, in education, you know, get more cybersecurity, healthcare certifications out there, educational classes. It doesn’t have to just be a degree. It could be a certificate or a license, something to get people in the door and get going. There’s lots of people out there, smarter than anybody that I might know or smarter than me, they just can’t get that path because they’re blocked by finance or they can’t get enough aid to go to college and nobody will give them a look. So I think using that kind of leverage, we can get there, and utilizing students within the college or even high school, if you look inside the workforce, the Workforce Guide that we published, it talks about student-staffing pipeline as one of the sectors. Is getting part-time work or internships or getting students at a high school level involved so that way they have another avenue to pivot to other than just big tech or finance. Not that it’s a bad, not a bad way to go that way, but sometimes people don’t know about the healthcare sector in cybersecurity because they think cybersecurity and it’s got to be big tech or finance.
Saul Marquez:
Yeah, no, some great callouts, and you brought out the Workforce Guide, Brandyn. So this is a document that you and a group of other stakeholders put together as part of the cybersecurity efforts, and tell us how the workforce guide works, what’s in it, how can it help organizations.
Brandyn Blunt:
The Workforce Guide is a great tool to utilize, and it’s mainly, it’s structured for healthcare, but I think you could use it for any sector, just the way it’s laid out. It gives you a nice overview of how critical healthcare is from a cybersecurity perspective, patient care perspective, and how vulnerable it is to cyber-attacks and malicious actors. And it also goes into giving you a guide on how you can build a workforce ladder and build a cybersecurity team with using different ideas like the student pipeline. It also goes into giving you tactics for success. You can also use this too, not just for staffing point but also employee retention. Another way to do the staffing is take IT staff who might be sys admins help desk, see if they are interested in cybersecurity, and develop a path where they do an apprenticeship with somebody within the organization, either on the management side or the technical side, and have an HR path for them to see how and which way they want to go. This way you’re developing your team from within that already knows the organization and then you get them and promote them, not, promote their personal and their professional career, because it’s also a personal goal for people to move up in a company. And that way you’re going to keep loyalty and retention of employees. And then you can look at backfilling those positions or even the entry-level positions and do the same thing. And this way you’re going to start developing employees that know the environment and are learning from others within the company that have extreme amount of experience, not just with the company, but in cybersecurity in general. And this way it’ll actually teach them the requirements that we’re looking for in this sector, in cybersecurity as a whole, not just an overview of cybersecurity. It actually gets them hands-on and they can have the tactics for success.
Saul Marquez:
Well, I think that’s great, Brandyn. And folks, just as a reminder, as we have in all previous episodes, the Workforce Guide is a downloadable document that you could get from the Health Sector Council’s website. You don’t have to go hunting for it. We have created a link for you to go ahead and download that. Just go to the show notes of this podcast and you’ll be able to have access to that, Brandyn, thank you for that. So one thing is hiring the talent, the next thing is developing and keeping good talent. What are the thoughts around that? Maybe, Matt, you could start us off with that one.
Matt McMahon:
Yeah, I really liked some of Brandyn’s comments about looking to your internal staff that maybe aren’t currently in a cybersecurity role but are interested, especially if they already have a foot in the door of tech. At a previous employer that I worked at, another large medical device manufacturer, we actually launched a mentorship program and was a little bit overwhelmed to find that we had almost 60 people sign up, internal candidates that kind of came from all different organizations, service, sales, primarily service, but it was really interesting who came out of the woodwork. So we had them provide their background …, and this was interesting based on kind of where they lived and what was available for a job at that point. We had first-level service staff. We had one individual that had a CSSLP, so that certification brand was talking about that high level need five years of experience in cybersecurity to get. So again, we had an entry-level service person with that certification. We had a number of individuals that came from military experience where they had pretty good cybersecurity experience from that, from those roles that once we paired them up with a little difficult to find almost 60 internal cybersecurity people to agree to have a mentor, but it worked really well. We tried to pair them up with, interest of what, as Brandyn was saying, there’s such a broad diversity of roles within cybersecurity. So we kind of tried to pair them up with individuals that were working in the field that they wanted to go into. So maybe more digital forensics for some of them, maybe more technical penetration testing, maybe some just wanted to do risk assessments, things like that. So that was really interesting. I would definitely suggest creating that mentorship program internally within your own organization. You’d be really surprised who comes out of the woodwork and their current experience level. And it was really beneficial to the mentors too, because now these are cybersecurity, medium to senior level cybersecurity people, in a lot of cases, that really were kind of drowned, I wouldn’t say drowning, but where, it had a lot of work to do and now they’re able to, to give these individuals some of their work to help them learn and grow, and it was really a mutually beneficial situation. So that would be definitely one way that I would say to go definitely the mentorship program, it’s a little bit trickier to bring in interns, so we’ve kind of tried to do that, but bringing in individuals to work in cybersecurity outside of the company. But definitely leverage your internal staff and you can do a lot of training internally too, you can do lunch and learns. Basically what we did was, so I attend two different local DEFCON chapters. So the typical hacker kind of collective or hacker meetup where you meet up once a month and one person from the group does a presentation on whatever technical topic they want to do a presentation on, well, you can do the same thing in your organization. Once a month, you can have a lunch and learn, have one of the developers that’s maybe working on a cybersecurity topic, give a presentation. The lesson’s learned, it’s internal only, this is what we did. We were trying to implement a new cybersecurity feature. Here was the pros, here’s the cons, here’s what the ten other businesses in our organization can do to kind of learn from that. So that was really beneficial as well.
Saul Marquez:
Some great ideas there, Matt. Yeah, Brandyn, go ahead.
Brandyn Blunt:
And again, I can’t stress enough too, training, like Matt touched on training, giving your staff the opportunity to train in this is what’s going to also help because even if they’re not in cybersecurity specifically for their job function, everybody is responsible for cybersecurity all the way down to the end user. And if you have your IT team trained in cybersecurity and allow them to go to these trainings and, you know, I know everybody, you know, financially with COVID and everything going on, training, I think is something that we should really be looking at because that’s going to help us in this field. And again, it’s part of, that’s part of the tactics for success in the Workforce Guide, and I’ll say it again, is think outside the box. I know myself and others out there that have worked in IT, that have come across nurses that are EMR system administrators. That’s a great pool to pick from when you’re looking for somebody that has a clinical side experience and an IT side. So again, that’s, apprenticeships and mentorship programs, seeing who is willing to pivot for a career change. You know, there are people out there that would like to do that. So keeping an open mind is key.
Matt McMahon:
And there are some good low-cost resources out there. There’s some great videos online, maybe on youtube. Another thing that I’ve done quite a bit of is while a certification in cybersecurity may cost anywhere from like $250 all the way up to like $700 to take the exam, which certainly if you’re getting in the field, is pretty expensive. The study guides are usually anywhere from $25 to $35, so you don’t actually need to get the certification. Certainly, it helps with finding a new job, but if you’re just trying to skill up, you can buy a couple of those books for 30 bucks, read through them, and you can even take the tests at the end and have the good feeling that you’ve passed based on the test. Certainly, you can’t, you don’t have the certification then, which is a bit of a bummer, but it is one way to scale up.
Saul Marquez:
That’s awesome, guys. And folks, from a hiring perspective, you know what Matt and Brandyn are offering up here are things to be considered. You’ve got to be creative, you’ve got to be open-minded, you got to look in those less thought-of areas, the EMR specialist idea was really great. Maybe it’s a nurse informaticist, maybe it’s somebody that never even did cybersecurity before. So really appreciate this, guys, and great work on the Workforce Guide, I think it’s a great resource. What’s coming next?
Matt McMahon:
All right, I can start that. We’ll circle back with Brandyn. So actually, so this topic is something that I’m very interested in and engaged with. Obviously working with the Workforce Development group, being a part-time professor, all of those good things, I actually create, if you kind of interested in learning a little bit more of these topics, kind of creative things that we’ve done within corporate environments to come up with creative cybersecurity training opportunities. I’m actually giving a full hour-long talk at the ESI Squared Security conference next week, so I know that’s a closed conference, but I’m hoping that that will be recorded and then available. If it is available, I’ll put it on YouTube. If not available, feel free to reach out with the contacts and I’m happy to provide the slides for that.
Saul Marquez:
Love it, thank you, Matt. And Brandyn, how about you? With the Workforce Guide being done, what are the next projects coming out of that group and other opportunities for organizations and people wanting to get involved in cybersecurity that they could leverage?
Brandyn Blunt:
There’s videos that the group is working on. There’s always ideas being talked about within the group.
Matt McMahon:
I think videos are definitely something to kind of highlight. Those are, I believe it’s, what is it, 13, I think, videos that are specific to the healthcare sector aimed at clinical staff. The speaker is Dr. Christian DeMuth, who’s an ER doctor from … UCSD. They should be out in the coming months. We’re recording them now, so we’ll see how long it takes to get those done, but definitely look for those. Those will be freely available, I believe, on YouTube. So if you don’t want to, don’t have the budget to create your own hospital IT cybersecurity training, we’ve provided it for free, so feel free to take those and utilize those in your own training program.
Saul Marquez:
Yes, love that. Now, well, listen, fantastic. Thank you both, Matt, Brandyn, for spending some time with us talking through cybersecurity talent, how can we position ourselves to compete against some of the big tech and finance, and what can we do as an industry to level up and increase training and opportunities for people once we get them in the door. I just want to thank both of you for your time today. Well, finally, what call to action would you both leave our listeners with? And then we could conclude.
Matt McMahon:
I would say, you know, it’s interesting. We’re talking about how to get people involved in cybersecurity that maybe aren’t that involved in cybersecurity. And it’s certainly very, very scary being that person on the outside kind of trying to break in and thinking, I don’t have the bachelor’s in computer science. Can I really get into this field? One of the most interesting things to do is, the cybersecurity professionals, to go to a conference and ask ten random people you meet how they get into cybersecurity, and you’re going to get ten completely different stories. I mean, some of the most respected and well-known cybersecurity people in the field have really interesting backgrounds, like one of them that comes to mind was a former librarian. You know, if you can really get into cybersecurity from a lot of different fields and certainly we need the additional staffing. So I’m not going to say that it’s super easy because there is a lot of obviously technical information to kind of scale up on, networking, and things like that or, you know, the better you are and more employable you’ll be. But definitely don’t think that because you don’t have a traditional computer science background and degree that cyber isn’t for you. It might actually be something that really is interesting for you. Personally, I went to undergraduate for clinical Psych, so that’s kind of started my path. So definitely consider cybersecurity and especially consider healthcare cybersecurity.
Brandyn Blunt:
Yes, IT is changing every day. From what I see, especially cybersecurity, and what attackers are looking for or the different types of malware that are coming out. You can, if you work hard and you’re willing to learn and do the grind and hustle to get the knowledge, I think that getting the basics will help you go a long way. And I think also maybe leveraging some of our certification companies out there to help get people into cybersecurity, you know, creating more of an entry-level certificate or route for someone to go that might not be able to afford the traditional college roadmap. And also putting out there places where people can go to see those roadmaps of the different domains within cybersecurity, the different avenues they can take from a technical perspective, from somebody that wants to get on a red team, or do pen testing, or somebody wants to go on the management side and look at policies and procedures and IT contracts, things in that perspective too, from a cybersecurity legal area. There’s different ways and avenues that we can all as a team build this workforce and bring people in. I feel we just need to work together and help open those doors, not restrict them.
Saul Marquez:
Love that. Brandyn, thank you, and Matt, thank you as well. You’ve left us with a lot of great ideas to build our staff and our teams, be they technical management leadership in cybersecurity. So I want to thank you both for your time today and your contributions to this podcast series.
Brandyn Blunt:
Thank you, and thanks for having us.
Sonix has many features that you’d love including advanced search, automated subtitles, automated translation, collaboration tools, and easily transcribe your Zoom meetings. Try Sonix for free today.
