Sign up to save your podcasts
Or
Share How to Build Trust and Reputation in Information Security with Dan Walsh
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
How to Build Trust and Reputation in Information Security with Dan Walsh
Episode Summary
The information security field is changing as fast as the rest of the world, and it’s safe to assume that it will grow rapidly in the years to come.
If we look at the last decade, and particularly after the emergence of the cloud, we can't help but notice how much the security field has evolved.
In this episode of the Cloud Security Reinvented podcast, our host Andy Ellis welcomes Dan Walsh, the Chief Information Security Officer at VillageMD. They get into the best and worst practices in information security, the importance of building trust, and share their predictions for the future.
##
Guest-at-a-Glance
💡 Name: Dan Walsh
💡 What he does: He's the Chief Information Security Officer at VillageMD.
💡 Company: VillageMD
💡 Noteworthy: Dan used to work at Vanguard in business operations, but then he made both a career and industry transition and moved into information security at UnitedHealth Group.
💡 Where to find Dan: LinkedIn | Twitter
##
Key Insights
⚡ Bring good security people on to your team to improve your capabilities. Dan talks about his career transition from business operations to security. "I was always very passionate about making sure that the applications we developed were secure, which caught the attention of our security team, and then, I transitioned into working on the security team at UnitedHealth Group, which kicked off my security career."
He shares his point of view on pulling good security people into your team. Rather than pushing security people inside the organization, we should think about bringing people in to improve our capabilities. "If I can find an engineering team that scans their source code for open source vulnerabilities and that makes sure that their cloud infrastructure access and vulnerabilities are managed very well, I'm going to pull those people into my [team]; I want them."
⚡ The healthcare industry has come a long way with its security investments, but there's still room to grow and improve. We often look at healthcare as a slow adopter regarding the newest developments in information security. Having spent some time in healthcare, Dan gets our hopes up that the field is open to improvements. "I would also say that healthcare has been a bit of a low or slow adopter to the cloud as compared to some of the other industries, but I do think that because of the focus on rising costs and trying to keep them down, it's inevitable, and it is happening. In my opinion — not scientifically — we're easily over halfway there. I would say that in order to run a large health care company at scale, these days, you have to start in the cloud. You can't start on-premise. Just financially, that doesn't make any sense."
⚡ Security is all about trust. You have to build relationships with people. They have to trust you, so be excellent but also trustworthy.
"A lot of people complained, 'How do I get into security? They just hired their friend, and I really wish they would have hired me, because I think I might be more qualified.' And I think what people miss is that trust. You don't trust in them. And since we're in the business of trust, that's why it might sometimes feel like it's a club when, in reality, it's not."
##
Episode Highlights
As we move into the cloud, we shouldn't forget about access control and asset inventory
"For me, access control and asset inventory are the top two. I know that, obviously, vulnerability management is important as well. In my experience, I've seen more problems with cloud incidents, with knowing what is in my cloud infrastructure and knowing who has access to it than because something wasn't patched in the cloud."
What long-time security practice should we have gotten rid of by now?
"One thing that we still see pop up from companies in the healthcare system is, 'We want the right to inspect or the right to be notified when you're moving to the cloud infrastructure.' Well, it's like, 'You're not going to inspect GCP’s or Azure AWS’s server building, wherever that's located.' I also don't think that it's really necessary to notify them when they're making a change like that. Because I just don't know what value that adds other than creating overhead for the team. So that's definitely one, even if it's a very specific one."
The importance of trust in the security field
"Cecelia, my first manager at UnitedHealth Group, taught me how to be direct, how to get to the brass tacks and the bottom line. I remember when I first started with her, she would say, 'You have to have coins in the bank with me,' meaning, 'You have to earn my trust.' And so that was a huge lesson — to build trust with people. Because that's what security is all about. […]
It's important to build relationships prior to there being a problem. The one thing that I've just done as good practice, which has benefited me tremendously and that I would advise people to do is, 'You don't have to be the expert in the domain that you're managing, but I would say that you need to get more than an inch deep in it in order to make sure you hire the right person for it.'"
View all episodes
By Orca Security
5
88 ratings
Episode Summary
The information security field is changing as fast as the rest of the world, and it’s safe to assume that it will grow rapidly in the years to come.
If we look at the last decade, and particularly after the emergence of the cloud, we can't help but notice how much the security field has evolved.
In this episode of the Cloud Security Reinvented podcast, our host Andy Ellis welcomes Dan Walsh, the Chief Information Security Officer at VillageMD. They get into the best and worst practices in information security, the importance of building trust, and share their predictions for the future.
##
Guest-at-a-Glance
💡 Name: Dan Walsh
💡 What he does: He's the Chief Information Security Officer at VillageMD.
💡 Company: VillageMD
💡 Noteworthy: Dan used to work at Vanguard in business operations, but then he made both a career and industry transition and moved into information security at UnitedHealth Group.
💡 Where to find Dan: LinkedIn | Twitter
##
Key Insights
⚡ Bring good security people on to your team to improve your capabilities. Dan talks about his career transition from business operations to security. "I was always very passionate about making sure that the applications we developed were secure, which caught the attention of our security team, and then, I transitioned into working on the security team at UnitedHealth Group, which kicked off my security career."
He shares his point of view on pulling good security people into your team. Rather than pushing security people inside the organization, we should think about bringing people in to improve our capabilities. "If I can find an engineering team that scans their source code for open source vulnerabilities and that makes sure that their cloud infrastructure access and vulnerabilities are managed very well, I'm going to pull those people into my [team]; I want them."
⚡ The healthcare industry has come a long way with its security investments, but there's still room to grow and improve. We often look at healthcare as a slow adopter regarding the newest developments in information security. Having spent some time in healthcare, Dan gets our hopes up that the field is open to improvements. "I would also say that healthcare has been a bit of a low or slow adopter to the cloud as compared to some of the other industries, but I do think that because of the focus on rising costs and trying to keep them down, it's inevitable, and it is happening. In my opinion — not scientifically — we're easily over halfway there. I would say that in order to run a large health care company at scale, these days, you have to start in the cloud. You can't start on-premise. Just financially, that doesn't make any sense."
⚡ Security is all about trust. You have to build relationships with people. They have to trust you, so be excellent but also trustworthy.
"A lot of people complained, 'How do I get into security? They just hired their friend, and I really wish they would have hired me, because I think I might be more qualified.' And I think what people miss is that trust. You don't trust in them. And since we're in the business of trust, that's why it might sometimes feel like it's a club when, in reality, it's not."
##
Episode Highlights
As we move into the cloud, we shouldn't forget about access control and asset inventory
"For me, access control and asset inventory are the top two. I know that, obviously, vulnerability management is important as well. In my experience, I've seen more problems with cloud incidents, with knowing what is in my cloud infrastructure and knowing who has access to it than because something wasn't patched in the cloud."
What long-time security practice should we have gotten rid of by now?
"One thing that we still see pop up from companies in the healthcare system is, 'We want the right to inspect or the right to be notified when you're moving to the cloud infrastructure.' Well, it's like, 'You're not going to inspect GCP’s or Azure AWS’s server building, wherever that's located.' I also don't think that it's really necessary to notify them when they're making a change like that. Because I just don't know what value that adds other than creating overhead for the team. So that's definitely one, even if it's a very specific one."
The importance of trust in the security field
"Cecelia, my first manager at UnitedHealth Group, taught me how to be direct, how to get to the brass tacks and the bottom line. I remember when I first started with her, she would say, 'You have to have coins in the bank with me,' meaning, 'You have to earn my trust.' And so that was a huge lesson — to build trust with people. Because that's what security is all about. […]
It's important to build relationships prior to there being a problem. The one thing that I've just done as good practice, which has benefited me tremendously and that I would advise people to do is, 'You don't have to be the expert in the domain that you're managing, but I would say that you need to get more than an inch deep in it in order to make sure you hire the right person for it.'"