Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
#3: Izhar Mujaddidi
77 Plays10 months ago
Izhar Mujaddidi shares the intricacies of building a comprehensive security program, navigating the challenges of cloud adoption, and managing the evolving landscape of third-party risks. Spanning a career that took him from federal contractor to commercial healthcare, Izhar shares his valuable perspectives on AI's role in shaping the security landscape and Izhar's vision for the future, as he reflects on his career and envisions a consultancy role. Tune in for a compelling discussion on securing data, mitigating risks, and the transformative potential of emerging technologies in the healthcare industry.
Recommended
Transcript
Introduction to Atlas Systems Podcast
00:00:00
Speaker
This is Transformation Stories, a podcast from Atlas Systems, exploring how companies are leaping into the future through deliberate change and innovation. In today's digital landscape, businesses face a choice to transform or risk falling behind.
00:00:18
Speaker
Here are the insights of visionaries and changemakers who are driving transformation across various industries and roles. They'll share their experiences, strategies, and the most potent opportunities for success. Join us as we uncover the secrets of transformation.
Security Leadership with Isar Mujaddidi
00:00:39
Speaker
Isar Ahmed Mujaddidi is Chief Information Security Officer for Carillon Behavioral Health, previously known as Beacon Health Options,
00:00:48
Speaker
where he has established a comprehensive and proactive information security program that includes implementation of safeguards as well as security awareness, training, and governance. Over the past 20 years, Wajiditi has led internal information security audits, assessments, and reviews
00:01:08
Speaker
penetration and security testing, independent product evaluations, and more. Muja Didi is a graduate of the Minority Management Development Fellowship Program from the American Association of Health Plans, now known as AHIP, and holds a Master's of Business Administration from Brownow University. Well, hello. It's Muja Didi. Thank you so much for joining us on Transformation Stories. It's great to have you.
00:01:37
Speaker
Thank you so much. I really appreciate the offer and the invite to speak on this important subject with you guys. No, it's great to have you. I wonder if we could start out by talking a little about your current role, what you're doing and what your concerns are, your purview.
Crafting a Cybersecurity Strategy
00:01:55
Speaker
So could you just give us a little background on that?
00:01:58
Speaker
Sure. So I'm the Chief Information Security Officer for a company called CareLawn Behavioral Health, which is a subsidiary of a Fortune 23 company, Elements Health, and we were acquired about three years ago. So I've been in this role with the company for the last 12 years or so. So when I started back,
00:02:22
Speaker
In 2011, the original company was known as Valley options. Eventually it was bought by venture capitalists and became vegan health options. And then about 3 years ago, we were purchased by elements health and we became care on behavioral health. About a year ago, we were branded as as a care on behavioral health.
00:02:40
Speaker
It's a health and wellness company. It's one of the leading companies that provides mental health and substance abuse services. And basically, one of our motto is to stamp out stigma, anything related with mental health. So we promote health and awareness, as well as mental health for people
00:03:05
Speaker
Across all of the United States, we have members all throughout the United States that we service. So in my current role, I'm responsible for overseeing the security program for the subsidiary, the Kaitlin Behavioral Health. So I was brought in.
00:03:26
Speaker
a little background on my background. I came in with about 12 years of experience as a federal contractor in the federal security field. So naturally, I have a lot of expertise in the federal security arena. I came into this commercial environment about 12 years ago because we had
00:03:52
Speaker
a military client that we had some needs for from that perspective. So when I stepped in, I actually created the security program for the organization. So the organization, so build that program, you know, based on five key principles that I follow, and I follow that as of today as well, is to make sure that we have a wholesome program and we have good cybersecurity hygiene across the whole organization.
00:04:20
Speaker
So the whole program that I built upon, I included making sure we had the right governance infrastructure in place, making sure that we had the right policies, procedures, and requirements that we have to meet. And second was to make sure that we met all the compliance requirements being health care. It's heavily regulated. So we had to make sure that we meet and exceed all the expectations set by the regulators. Third was to make sure that we had
00:04:48
Speaker
all the right cyber hygiene elements, we call them safeguards. Make sure you have the right gun guards and gates in place to make sure we are able to protect, detect, and correct information and to make sure that we are able to deal with current threats and future threats as well. Part of that program is also looking at your attack surface and managing it and then finding ways how you can minimize that attack
Training and Prevention in Cybersecurity
00:05:15
Speaker
surface.
00:05:15
Speaker
And also we had to make sure that our people are properly trained. So that was another part of the plan was to ensure that we train our people properly because I think human elements, human are the weakest link in the whole ecosystem within any enterprise. So definitely
00:05:33
Speaker
You know, you know, our partner recently published some stats on, you know, human error is going to be a leading cause of breaches in the future. So, you know, plus with the advent of AI and deep fake impersonation, things of that nature, that is going to be so we have to really train our people very well.
00:05:54
Speaker
And finally, I had to make sure that we could continue to operate. So being a key element of security is to make sure we are able to recover from a disruption or a disaster. So build that security program over time.
00:06:11
Speaker
and then got it validated through adoption of different frameworks. So, in my position at KELOLAND, we service many verticals, including the public sector, we have our DOD federal sector, and we have the commercial sector.
00:06:30
Speaker
Each of these areas have different frameworks and standards per se that these verticals have to follow and the people who belong to that vertical actually look for those things. For example, like in the commercial employer market, they look for international standards such as ISO, making sure that you're able to demonstrate that your program is sound, your security program, and you're able to attest to it through a certification.
00:06:58
Speaker
on the health plan side, something like high trust. And finally, finally from on a commercial side of what is called the authority to operate. So making sure that we meet those requirements. So build that program over the last 12 years have been successful at it. And we continue to instant repeat our procedures. We continuously measure and manage risk across all spectrum of the organization, including
00:07:28
Speaker
people, you know, technology and testing our disaster recovery plans and that nature. So we continue to measure and manage risk in our enterprise. And when you moved from the federal government sector to more of a corporate with Carillon, how did you have to sort of change your focus? How did you have to transform your own knowledge and focus?
Transitioning Security Approaches
00:07:53
Speaker
So I think coming in from a very regimented environment where there are strict requirements, I really had to make an adjustment when you move over to the commercial side, especially within healthcare. Healthcare, as you know, is always a big target. It is still a big target because of
00:08:13
Speaker
a lot of different factors. I think it's the second most regulated industry next to finance, but still from a maturity perspective, it would take time from that. So basically, I think building those bridges and becoming a trusted partner within the environment actually helped me spread my message.
00:08:39
Speaker
and actually showing the true value of security in terms of return on investments, on minimizing our tax surface, being less subject to fines and penalties because of breaches, things of that nature, and having a constant eye on the environment actually helped.
00:09:02
Speaker
On the federal side, it's strict, very strict. You do this this way, there's no leeway. On the commercial side, definitely there's a lot of convincing that needs to happen because a lot of these things are standards. You know, once they're implemented, yeah, you can enforce that, but to get to that point, it takes a time for you to do the convincing.
00:09:22
Speaker
and also to show the value of and comparing yourself with other organizations from a maturity keeping of a scorecard. For example, like a security scorecard of your organization, comparing also helps. So definitely the big challenge was actually getting to understand the commercial environment and getting to see how we can implement things that are good.
00:09:47
Speaker
But don't make it too tough that you are not able to achieve your objective. If you make things so difficult that the business is not able to operate, then it defeats the purpose of being in the business. So definitely have a relaxed approach. And having the right buy-in for management was a key for my success over the years.
00:10:08
Speaker
And thinking about, you know, becoming a trusted partner, you know, and transforming attitudes.
Management and Resource Utilization for Security
00:10:13
Speaker
I mean, are there any other secrets to getting people's buy-in to really getting acceptance?
00:10:20
Speaker
Yeah, I think the most, the basic skill that we need to have is the ability to listen, listen to reason, because a lot of time people, you know, security minded people, it's my way or the highway, but you have to listen to the reason and find an alternative, find a better path, how we can meet that objective of what I'm trying to do and what the business is trying to do. And having that,
00:10:46
Speaker
Being a champion for a cause and having your right team in place really helps. Translating something as simple as, why do we need?
00:10:56
Speaker
two-factor authentication, right? So giving them convincing evidence as far as what the guidance is coming from the government, how much we can prevent, I know it's a hassle, you got to have a certain factor and things of that nature. So there's a lot of education, so educating the users and showing them the true value instead of saying, oh, it's a mandate, must do it.
00:11:19
Speaker
you know, my highway doesn't work. So definitely those things really, really help. It helped me and also having the right support from the management in terms of building up your strategic plan, showing them the value of each thing that you're trying to do, whether it's across training people on
00:11:39
Speaker
phishing through phishing exercises or implementing something extra to help us, you know, pick something that we may have missed during normal operation really helps. So, you know, getting that
00:11:55
Speaker
support for management is also very helpful. Also, what also helps is working with the peers. So I work with the Cyber Health Working Group headed by HHS. I work with InfraGuard, which is a FBI and a private industry organization. We share ideas. I take those ideas. I bring them back.
00:12:16
Speaker
to the table with the management. I say this is working and this is not working. And then make a good argument on what we need to do depend on what our gaps are, what our risk appetite is, and then making that decision and the investment. Lack of money is always an issue in any organization. And health care is no different. So definitely trying to show value for the money
00:12:43
Speaker
is very important and definitely if it could be backed by studies from you know you know organizations such as Gartner things like that I'm able to leverage those I'm able to use their tools and then make a convincing case of what we need to do and show them you know this is where the industry is heading towards this is where we should be we should be investing in zero trust we should be investing in x y and z we should be investing in
00:13:09
Speaker
you know, whatever the latest and the greatest threat vector is, how we can better protect it. And also, since the acquisition, we are getting a lot of our guidance from our parent company, being a Fortune 23 company, Fortune 2330 company. They have the might and they have a lot of knowledge. They have a lot of support. So I tap into their resources as well and see how we can better improve on how we operate, how I can transform myself as well as individual.
00:13:38
Speaker
and also transform my organization to meet the expectations from the parent company and hopefully try to come in parallel with what they have or even try to exceed what they have. Whatever things we are doing better, we can always share whatever things they are doing better with us. They share with us and we follow through and try to minimize. The ultimate goal is to make sure that the data we are entrusted with
00:14:04
Speaker
by our clients, whether it's the government, the state government, or the commercial is safeguarded.
00:14:09
Speaker
And then we are able to have the proper controls in place to make sure that we don't have a breach. And also we are safeguarding that information and we're disposing that information when we no longer need that information in a secure manner. So it doesn't end up in dumpsters on hard drives, things of that nature. In the past we have had those people losing equipment.
00:14:36
Speaker
people not paying attention, not sanitizing media, things of that nature, to prevent all of those. And also definitely putting in new technology, definitely with new stuff like what's coming up, AI, machine learning, things of that nature, how do we better prepare for all of those things?
AI Risks and Security Challenges
00:14:55
Speaker
Generative AI, people are talking about
00:14:58
Speaker
I enabled fraud is going to be prevalent in the next couple of years, you know, defects, and you don't know if it is really a real person that you're getting an email from. It may look like impersonation may increase. So those things, you know, chat GPD and all this AI has some bias issues, hallucination issues, has a lot of other issues where how do we deal with all of this emerging technology and how do we still
00:15:25
Speaker
benefit from it, but we also understand the risk associated with using it, loss of IP, loss of intellectual property. If we are using any of these models, if we are building some, what we have to make sure is what we bake into those things to make sure that it's not used for nefarious purposes.
00:15:44
Speaker
Yeah. I mean, thinking about like AI and a lot of these emerging technologies and platforms, how do you see sort of the risk profiles, the important risks transforming? Is it changing in dramatic ways?
00:16:01
Speaker
So definitely, AI is a new area. And definitely, it's coming with its own risk. So I think organizations right now are taking a reactive approach, meaning we're just going to block it, right? Block it at the network layer. So you can't get to chat GPT. You can't get to X, Y, and Z being AI. All of those things like that. But that's just a temporary fix. People find work around Z. I think, overall, the plan
00:16:30
Speaker
The training is very important in terms of training people. What is the acceptable use of AI? So, meaning setting up some sort of acceptable rules of behavior. Meaning if you are a consumer or if you are a user, or if you are a developer of.
00:16:48
Speaker
of AI to complete some kind of objective. You have to make sure that these things are taken into consideration, where you want to make sure there isn't a loss of IP. There isn't any issues with biases.
00:17:08
Speaker
And the AI is not turning on to you. I've seen some studies there, some groups there actually turning these AIs and stuff into something very nefarious, where the responses you're getting are really biased based on some criteria that they have manipulated, that search criteria. And then you have to be very careful how you do all of that.
00:17:34
Speaker
So definitely this AI-enabled fraud will fundamentally change our enterprise tech surface. Definitely, you know, we have to be more cognizant of how we deal with it, how we use it, and definitely there are a lot of benefits to it. That is the next thing coming. Everybody's, there's big investments in it from that perspective, but we have to have
00:17:58
Speaker
The correct mindset, and we have to be careful of how we use it, how we make use of it, and we want to make sure that we are not at risk of losing any of your intellectual property with the use, especially when you're dealing with software development. You don't want to code in there and then say a competitor or somebody else or whoever the company company goes bust.
00:18:20
Speaker
whatever happens and your IP is gone and nothing of
Cloud Security and Third-Party Risks
00:18:24
Speaker
that nature. So not exposing any of our crown jewels to such tools. And what about the use of cloud? I mean, do you see any special concerns there or things that you're focusing on now or for the future? Yeah, absolutely. I mean, definitely cloud is
00:18:44
Speaker
is a reality. It's not going anywhere. So definitely a lot of on-prem organizations are. They have data center exit strategies. They want to make use of the collaboration space and the security provided by cloud security providers. But cloud itself, once you are thinking of migrating your on-premise environment, it has to be thought out very carefully because
00:19:11
Speaker
Cloud is not a one-stop solution for you. There are responsibilities that lie on both the cloud service provider and yourself, depending on type of adoption. You have software as a service, infrastructure as a service, whatever model you may be using. And it's important to use a lot of, there's a lot of new technology out there that helps supplement
00:19:38
Speaker
security within the cloud environments, such as cloud access security brokers. And of course, zero trust is something that's very important, especially in cloud adoption as well. And definitely, you know, you no longer have your traditional security parameter. It's housed in who knows where.
00:20:02
Speaker
by a cloud service provider from that perspective. So negotiations, contracts, responsibilities have to be really thought out. And it's very robust. It's elastic. It's expandable. Definitely, it is the model that most of the organizations are going into.
00:20:23
Speaker
whether it's GCP, Azure, AWS, you name it. So definitely cloud adoption, cloud security concerns are valid as well. Cloud Security Alliance has published a set of guidelines on as you are evaluating cloud providers, you have to make sure they are providing with you all of these things that
00:20:46
Speaker
protect your data from end to end from that perspective and it's clearly demark where your responsibility starts, where their responsibility starts, where your responsibility ends, where their responsibility ends. Especially if you're a federal contractor there's always additional requirements such as the cloud service provider has to be you know FedRAMP certified meaning you know
00:21:08
Speaker
It has requirements around who can access people who are processing your citizenship onshore, meaning the data resides here in the United States. DoD has additional requirements. It's referred to as IL-4, IL-2, different things on top of the federal certification. So if you want to do business with the government and you want to put your app in the cloud,
00:21:28
Speaker
You have to pick one of those validated cloud providers. But if you're on a commercial side, you would just go to the regular, you're servicing just commercial clients. You can adopt any of the cloud providers, but you have to make sure that you have the right gun guards and gates in place for the cloud security architecture that will be implemented. You sort of touched on this, but in terms of third parties, how are the risks changing? How are they transforming? And how are you keeping up with
00:21:59
Speaker
So definitely third party risk is a major issue and it's been pointed out because a lot of organizations that recently had breaches were reason with third parties. It wasn't them, but it was their interested data to third party. So definitely a sound third party assessment program.
00:22:20
Speaker
is very important. So one of the things that we implemented at Market Company prior to acquisition and post-exposition is we've read all of our third parties and make sure what systems they'll be using, where the data is going to be hosted, how the data would be handled.
00:22:40
Speaker
How the data would be protected and go through a third party vendor assessment process and then and then after they go through the wedding process, we make sure that they are approved. Meaning that okay, we made sure they had the right thing. They had the certifications and they have like.
00:23:00
Speaker
They have validated all the things that we asked for. We also monitor them through a lot of third party risk rating systems. Now there's a lot of tools out there, such as bit side, up guard, security scorecard, risk econ. So that's actually measuring the attack surface for organizations. So a lot of vendors have started using
00:23:21
Speaker
these tools for all of their third parties on a continuous basis. So they're measuring the attack surface of these vendors, third parties, and if they see, and this may be a numerical or a quantitative score, depending on what tool you use, A through F, or 70, 90, 500, 600, whatever the score is, and then they would see that, okay, this third party that they're using to do X, Y, and Z seem to have RDP open on their,
00:23:51
Speaker
in their DMZ. So that's a big red flag. So that's what the companies are doing. They're connecting with those third parties and bringing attention to the issue to them and working them through resolution.
00:24:07
Speaker
So third party risk, it'll be there. I mean, in the past, it was limited to just have executing master service agreement, business associate agreements, or some side of security addendum. But now it's going beyond making sure that, you know, they meet and execute the requirements that are set. And these things are set now documented in a lot of agreements as well that we're going to monitor you.
00:24:31
Speaker
through other duration of the contract. You know, we may do assessments on you now, and then we're going to do it annually in that nature. If there's any kind of breach, there's some provisions in the contract when they have to notify us. And if it's our members involved, if we need to notify or they need to notify whoever legal would get involved and do all the notification with the regulators, you know,
00:24:56
Speaker
Definitely 3rd party. Definitely is a big risk. I probably heard a CC has new new security regulations enforcing it. Then even charging. There's some pending charges for the last solo event.
00:25:13
Speaker
see so they're charging them with fraud. And so there's a lot of scrutiny, both from regulators, as well as from companies themselves, on making sure that these third parties, you know, are sound and that they don't introduce
00:25:30
Speaker
any risk to us, especially in healthcare, you have the high tech provisions, so the liability goes downstream. So if a downstream vendor is affected, you may be affected as well. So yeah, third parties are a big, large risk. Just to wrap up, I wanted to ask you, thinking about
00:25:53
Speaker
where your career has been and where you maybe see yourself going.
Career in Cybersecurity and Future Goals
00:25:57
Speaker
How do you see your personal transformation continuing in terms of your career and anything else? Yeah, definitely. My career started with being a terminal area security officer in the United States Army. That was back in 1995. So that's how it started. It started with that, got into healthcare in healthcare management, did a fellowship at
00:26:19
Speaker
American Association of Health Plans for the Minority Management Development Fellowship. After that, became a defense contractor, went through Department of Defense, National Defense University, and got a couple of certification in information assurance. But a two-year worth of training up at National Defense University, post that about in 2018, also completed a CISO executive certification from Carnegie Mellon University.
00:26:48
Speaker
I was one of the first few cohorts when this program started. It's a select program of CISOs across industry, across the federal government, that they attend a six-month program, rigorous program.
00:27:04
Speaker
that I attended. So in my current role, I continue to be the CISO. I foresee myself moving more into a consultancy role, getting out of the operations as I age, but definitely staying in within the security field, assessing and advising leaders as I continue to grow. And then I continue to educate myself as well.
00:27:30
Speaker
And in the past, I may increase my voluntary work. I've done quite a bit with Iseca, as well as serving on their CISA and CSIM boards for quite a few years. And I will continue doing that and continue to educate myself.
00:27:47
Speaker
and continue to play a pivot role, play an important role in making sure that information security is brought to the table, to the management, and they realize that we are a key stakeholder within the whole ecosystem of the organization, and we are a very, very important partner.
00:28:08
Speaker
As you know, healthcare has a lot of issues, like a lot of tech deaths, ransomware, breaches, a lot of fragmented architectures. I definitely want to continue to help build and remediate, develop programs for organizations, and also mentor junior staff as well, continue to educate them and help them grow in their field, and then make future leaders information security.
00:28:37
Speaker
Well, thank you so much for talking to us today. We really appreciate your insights and your time. Thank you so much for your invitation. I really appreciate you asking me to speak. Thank you so much. That's a wrap on today's episode of Transformation Stories. If you found this episode as enlightening as we did, be sure to subscribe, rate, and leave a review. Your feedback fuels our mission to bring you more thought-provoking conversations.
00:29:04
Speaker
As we conclude today's journey, remember that transformation is within reach for every business, and it starts with deliberate choices. Keep pushing boundaries, seeking new opportunities, and embracing change. Until next time, this is Transformation Stories.