Published January 2023 – 

CISOs often live in fear of a breach or audit, but Hugo Lai, CISO at Temple Health, says it’s not something to worry about. As long as you have a good plan and can explain the steps you’ve taken to protect the organization, the chips will fall where they may. And never consider it to be on your shoulders alone, as you have all your colleagues at the organization for support. In this interview with healthsystemCIO Founder and Editor-in-Chief Anthony Guerra, Lai also talks about finding the right balance for information security governance – it begins with establishing a good working relationship with everyone in the organization; then recognizing that all risks cannot be mitigated. Your job as a CISO is to be prepared to provide suggestions for security improvements, not just identify problems. “They hire a CISO for a reason,” he says. Then, let the business decide what to prioritize.

LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE. 

Bold Statements

 … as much as you have a very defined information security roadmap, you also want to identify areas that are potentially a quick win. And when an opportunity arises, those will be the occasions that perhaps it makes sense to execute or do those initiatives. Because if you don’t do it now, then there will be no better timing to do it.

One thing that I truly believe in information security is that you need to tie IT to business and apply context into information security.

If I have to worry about the next attack all the time, it’s not going to make me very effective in my role. So I always think about this – there are so many choices that we have, or so many decisions that we have to make, as long as we are making a conscious decision, whatever that may be, we know we can always back that up.

Guerra: Hugo, thanks for joining me.

Lai: Good morning, Anthony.

Guerra: Hugo, to start out, why don’t you tell me a little bit about your organization and your role there?

Lai: Sure. So I work for Temple Health. It is four hospital systems based in Philadelphia in Pennsylvania. And I am the chief information security officer here.

Guerra: Very good. Thank you. Can you tell me how you wound up as a CISO at a health system, your career and how you wound up getting into technology and then security and then healthcare – in whatever order that happened?

Lai: Certainly, so I started off my security career as a security consultant for many years. Actually, let’s step a little bit back. I studied information security when I was in college, and basically, after I graduated, I got recruited to support a government client working in security consulting. And I continued with that for many years. And I supported many government clients, including NIH and some of the civilian healthcare agencies, if you will. That’s how I got myself into the healthcare industry. And then after that, I started working in the industry, leading a cybersecurity practice for small organizations. And then here I am, with Temple Health.

Guerra: What would you say it is about security that you find most interesting? You know, there’s the CIO route, and then there’s the CISO route. So why did you prefer to go into security as opposed to general technology CIO-type stuff?

Lai: Well, security has always been my interest. I think it has a little bit to do with the experience of when I used to work and study near the Capitol.