Topics:
At the start of his career, Christopher Frenz was a pharmaceutical drug designer, specifically writing scientific software used to design new drugs. Cybersecurity was not on his career path back then, but the vulnerabilities he encountered on a regular basis soon started to shift his thinking.
“I've been in healthcare for about 25 years now and actually got my start as a scientist, so I used to be a drug designer who used to develop software to design pharmaceuticals. Back about 20 years ago, I started taking interest in all these security flaws I noticed in softwareIi was developing as well as that of my colleagues,” Frenz recalls. “And that got me really interested in the security side of things. So over time I transitioned away from my scientific background and more towards a security-focused background.”
On the Nexus Podcast, Frenz discussed how his background in science is foundational to the cybersecurity program he’s instituted as chief information security officer for a hospital system. Frenz, an O'Reilly coauthor of "Evidence-Based Security," takes an evidence-based approach to protecting life-saving medical systems and devices by testing the efficacy of controls and measuring, well, everything.
“I think one of the issues with security today is we often treat security much more as an art form than a science,” Frenz said. “And we have a lot of compliance-based approaches that look for the existence of certain controls, but we don't really spend as much time focusing on the efficacy of controls.”
Many compliance-based security programs take into account only the presence of controls while failing to systematically test whether those controls are making environments safer, and the in case of healthcare, keeping patients alive.
“For example, today I have a firewall. I get five points on whatever compliance framework it is, but that doesn't really test to see if you have all the proper rules in the firewall,” Frenz said. “Are you doing egress filtering correctly? Are other things within that control configured properly? We don't really check that. So one of the things I'm very big on is actually measuring to see if the efficacy of various controls is actually in place.”
For Frenz, the a-ha moment came 10 years ago when he used the EICAR test file—a benign file detected by antimalware software as malicious—to simulate the spread of ransomware across a healthcare environment.
“We learned a lot of interesting things about what worked, what didn't work, as well as how people responded to an incident like that,” Frenz said. “So it was a very eye-opening exercise to actually go ahead and measure security in that form.”
Frenz learned, for example, that controls such as segmentation worked to a degree but not to a level of efficacy that was necessary. This prompted him to question other controls, test those against actual attack techniques to determine how well they would stand up to real incidents.
“Oftentimes you find that it does not, so the evidence-based security approach I really have is a framework where you figure out the threats that are pertinent to your environment, what are the risks that your environment faces?” Frenz said.
Today, Frenz continues to run sophisticated simulations using frameworks such as MITRE ATT&CK and commercial simulation platforms to run attack tactics, techniques, and procedures (TTPs) against his mission-critical infrastructure. This not only surfaces exposures that need remediation, but also helps him develop metrics that measure the impact of those threats on the environment, and make informed decisions as to how to modify the controls in an environment.
This approach has also cleared a pathway to the board and other business leaders.
“I've used this approach at two different organizations now. It's a little bit different than what [boards] are traditionally used to seeing, but within a couple of board presentations, they grew to really like the approach simply because of the way to show ROI,” Frenz said. “For the first time, it wasn't the CISO saying that this investment made us more secure. It wasn't abstract like that. I could actually show the data behind it. So we were scoring this.”
Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.
