Craig Kobren, Chief Information Security Officer at The Christ Hospital Health Network, speaks with Michael Sutter, CEO of Enlivened Tech, in a video interview about the importance of data awareness and business continuity in tackling cyber threats, proactive preparation, strengthening identity security, the evolution of the security role, and what makes a solid cybersecurity professional.

Importance of data awareness and business continuity

At the outset, Kobren highlights the critical steps that healthcare organizations should focus on to tackle cyber threats. He prioritizes two key factors:

• Knowing exactly where sensitive data resides
• Preparing for scenarios that could disrupt business continuity while knowing how to recover.

For Kobren, the importance of knowing where Protected Health Information (PHI) lives within an organization cannot be overstated. This understanding is not only essential from a strategic perspective but also from a compliance standpoint. Mapping data flows and identifying where sensitive information is stored and how it moves through systems is a foundational element of the healthcare sector’s cybersecurity strategy.

However, Kobren states that the second factor of business continuity takes precedence in terms of priority. “Business continuity is probably a bigger priority. If something happens, how do we stay open? You don’t exactly know how a bad person’s going to attack you. Which system would they be able to get into? It is hard to lay out,” he says.

To prepare for such scenarios, the team has rigorous preparedness efforts that include scenario planning that helps build awareness and resilience across organizations. Kobren reaffirms that planning for disruption is non-negotiable in healthcare. “That has to be in your planning because you can’t close. We spend a lot of time focusing on, if the scenario happened, how do we get organized? How would we handle this?”

Practicing recovery and learning from others

Delving further, Kobren explains that his team takes a multifaceted approach to preparedness, combining investment in recovery systems, regular testing, and scenario-based planning.

The goal is to ensure the organization is positioned to respond effectively in the event of a disruption. “We look where we can test the best of our abilities in doing that to prepare,” he adds.

Additionally, Kobren stresses the importance of rehearsal and repetition in building resilience. “We strongly believe that if you can practice anything, it brings value,” he says. This includes frequent conversations with business units to assess continuity plans.

“We’ve spent a lot of time meeting with our business partners and talking through, ‘Hey, how would this specific part of the organization be able to run if this scenario happened?’”

On top of internal preparations, Kobren shares that his team monitors incidents across the industry to draw lessons from real-world events. Given the unique threat landscape, he states, “We do spend a lot of time thinking through those scenarios because we know it’s one of the most attacked industries.”

Moving forward, Kobren says that healthcare consistently ranks at the top when it comes to industries frequently targeted by cyberattacks. He elaborates that attackers have recognized the high impact of disrupting hospital services, making ransom demands more effective because organizations are desperate to restore operations.

Using a familiar analogy, Kobren says, “Why do bad guys rob banks? That’s because of where the money is.” Similarly, healthcare is an appealing target because of the critical nature of its services and the sensitivity of the data it holds.

When asked where the organization pulls its data from, he shares that information on cyberattack trends comes from a variety of sources, including reports from organizations like the FBI and the annual Verizon Data Breach Report.

Strengthening identity security

To strengthen identity security, Kobren follows a strong, centralized approach to access control. He mentions that the organization aims to manage “all access to all systems,” including remote and cloud-based applications.

By integrating services with single sign-on (SSO), the team ensures control over user credentials: “We know that we are in control of your username and password.” This allows them to enforce password complexity, reset credentials when needed, and block accounts if security is compromised.

Ultimately, Kobren states, “We want to be in control of as much of that process as possible” when it comes to identity management.

Reflecting on the enduring importance of identity management in information security, he affirms that it has been a central focus. While new tools have emerged, most notably multifactor authentication (MFA), the core principles remain the same, he adds.

Kobren reiterates that MFA is “a very, very good control,” but acknowledges that even these measures have been bypassed, especially earlier forms that relied on codes sent via email or text. Attackers found ways to trick users, leading to a shift toward more secure methods.

“Now you’re getting into more of an authenticator app, which is comical because it’s kind of back to the RSA token idea,” he says.

What makes a strong cybersecurity professional

Kobren’s journey into information security didn’t follow a traditional path, as he started as an electrical engineer. Reflecting on the early days of the field, he recalls how difficult it used to be to find skilled security professionals.

 “There were no degrees, there were no schools training security individuals,” he shares. Instead, organizations relied on individuals already working in IT systems, “people that worked on certain IT systems that had some security flavor, and you kind of grew them into security professionals.”

Today, he sees a very different landscape. Security has become mainstream, with breaches making headlines regularly and increasing demands driven by growing privacy laws and regulations.

Despite the rise of formal security education, Kobren believes that the best professionals are “people that are very well-rounded and have experiences across all of the IT stack.” He emphasizes that it’s tough to gain that kind of depth in a four-year college setting without hands-on infrastructure work.

When hiring, he looks for people who have administered real systems and dealt with operational challenges like updates and performance. However, he adds, “Trying to be able to afford the talent with that many years of experience is challenging.”

Kobren places high value on intrinsic curiosity and a problem-solving mindset. The ideal candidate asks questions like, “Why did that not work? How could this go wrong?” and strives to prevent failure through proactive thinking.

Wrapping up, Kobren believes success in the field comes down to passion and mindset. The biggest thing one needs is to dig and never give up, as it is the good guys against the bad guys, he concludes.

CDO Magazine appreciates Craig Kobren for sharing his insights with our global community.