Secret CSO: Chris Bowen, ClearDATA

Originally published December 19, 2019 by IDG Connect at IDG Connect

Name: Chris Bowen

Organisation: ClearDATA

Job title: Founder and Chief Privacy & Security Officer

Date started current role: December 2014

Location: Austin, TX

Chris Bowen is the Founder and Chief Privacy and Security Officer at ClearDATA. He leads ClearDATA’s internal privacy, security and compliance strategies as well as advises on the security and privacy risks faced by customers, which include global healthcare organisations, payers, providers, life science companies, and market leading innovators from Asia Pacific, North American, and Europe. Bowen also leads ClearDATA’s international security risk consulting practice and has provided counsel to some of the world’s largest healthcare organisations.

What was your first job? I started my career in politics working for the U.S. House of Representatives but was lured away when The Donor Network of Arizona asked me to help rewrite the state’s donor legislation to make it easier to become an organ donor. Being able to write legislation that facilitated the donation of organs to save lives was a turning point in my career.

How did you get involved in cybersecurity? Once I finished my MBA, I decided to leave politics to start my own company focused on delivering complex web-based applications where one of my customers was the fifth largest hospital provider in the country. They really pushed me to make sure I quickly learned how to protect patient privacy. Whenever we wanted to deploy an app that even theoretically processed protected health information (PHI), there was a deluge of questions from HIPAA attorneys and privacy officials rightfully wanting to know how my company would protect that PHI. I became an expert at understanding privacy laws and regulations in order to make my business work. After several years of this, I realised there was no company solely dedicated to creating environments specifically to protect patient data. They were all generalists that didn’t fully understand the nuances of healthcare delivery. That was the seed of what became ClearDATA. With this idea, I approached a trusted lawyer at the hospital system and ran my idea by him about starting the company. His emphatic encouragement inspired me to create a company specifically designed to protect patient data (through privacy, security, compliance using the cloud) so that healthcare could continue to innovate and use these apps that improve quality and quantity of life for patients.

What was your education? Do you hold any certifications? What are they? I hold an M.B.A. and B.S. in economics from Arizona State University. Since then, I became certified in various privacy and security specialties including Certified Information Privacy Professional (CIPP/US), Certified Information Privacy Technologist (CIPT) from the International Association of Privacy Professionals (IAPP), Certified Information Systems Security Professional (CISSP) and Certified Cloud Security Professional from (ISC)2.

Explain your career path. Did you take any detours? If so, discuss. During my time with The Donor Network of Arizona, I was exposed to seeing the tragic end to life juxtaposed with new hope given to a person who could not survive without a life-giving organ in the same 24-hour period which had a lasting impact. I was eventually asked to join the Arizona House Majority leadership as a key aid to the Speaker, where I continued to be involved with healthcare reform and internet privacy. I crafted and helped pass legislation for both healthcare and privacy in the same timeframe as I was pursuing my graduate studies combining two passion points of mine – technology and security.

Was there anyone who has inspired or mentored you in your career? I’ve been fortunate to have many mentors and influencers in my life, but the person who comes to mind first is Brandon Ingersoll. He was my old college roommate but came from two very different worlds. He was from the East Coast, affluent upbringing, with a total sense of belonging at the University. I was a first-generation student and worked my way through college doubting every moment. I literally dug ditches during the summer to pay for school. I was covered in sweat and dirt, fixing the irrigation pipes at the country clubs where kids like Brandon might play golf or tennis. Brandon treated me like a total equal, and it inspired and surprised me. In our first semester, he got a 4.0 GPA, and I thought, well I if I work hard like him maybe I can get a 4.0. So, I did. And I continued following Brandon’s example of claiming a seat at the table. This led me to meeting a guy named Mike Levitt – an insurance guy – who was taking a run at becoming governor. I thought, “Hey, maybe I should volunteer.” So, I did and he won. He eventually became the Secretary of Health and Human Services. All of this led me to eventually landing a gig running a congressional campaign for a man trying to be elected in the 104^th Congress. I never believed I couldn’t do this kind of work, so I put my heart into it.

We won a 5-way primary, and a tough general election. I became one of only 74 campaign managers in America to win a seat that helped the change control of Congress in 1994. I began attending a variety of political events as a congressional staffer and met the names of the day from Sonny Bono to Steve Largent to Newt Gingrich. That was a big deal for a kid with humble beginnings. I realised however, that they were all just people like me who reached for their dreams. So, I dug in and became the first in my family to earn a college degree (two actually) and to this day, I tip my hat to Brandon for showing me I had a right to be there. I earned my place at the table then, and I continue to work hard to keep it every day.

What do you feel is the most important aspect of your job? We all have big missions we’re working toward that are actual, not just aspirational. I want to solve the breach crisis. I want to stop the thieves and bad guys that ruin peoples’ finances, wreak havoc on their lives and compromise their health. Privacy is a passion of mine, and I want to stop these outside forces from stealing what is rightfully ours. If we can do this, we’ll be in a position to really use data in a meaningful way that can extend and improve the quality of life for so many.

What metrics or KPIs do you use to measure security effectiveness? Good metrics should be quantitative and objective, have a time dimension, be universally acceptable, grounded in truth, inexpensive, obtainable, and repeatable. Security effectiveness metrics can really be broken down into the following categories, including process, network, monitoring and response, virus/malware, events, assets, people, risk, and of course, data.  Here are a few examples:

Process Metrics:

Percentage of systems with formal risk assessments.

Percentage of systems with tested security controls.

Network Metrics:

Successful and unsuccessful logins.

Number of unidentified devices on the internal network.

Attack and threat frequency.

Outbound data flows.

Monitoring and Response Metrics:

Tool performance and availability.

Number of resulting “incidents” and data to incident conversions.

Mean time-to-detect (MTTD).

Mean time-to-respond/remediate (MTTR).

Virus/Malware Metrics:

Number of known vulnerabilities on externally facing systems.

Number of known vulnerabilities on internal systems.

Results of SIEM (Security Information Event Monitoring) results.

Event Metrics:

Project completion metrics for new tools, services, or remediations.

Number of incidents reported during a period.

Outages as a result of attacks, such as DDOS, ransomware, insider threat, etc.

Asset Metrics:

Lost or stolen corporate devices.

Device inventory and health.

Average time to upgrade.

Risk per asset.

Asset Metrics:

Lost or stolen corporate devices.

Device inventory and health.

Average time to upgrade.

Risk per asset.

People Metrics:

Number of staff taking security awareness and average scores.

Employee engagement results.

Technical trainings completed.

Risk Metrics:

Number of new risks, and their scores.

Number of risks downgraded or remediated.

Risks accepted.

Data Metrics:

Data location.

Data criticality.

Data safeguards in place.

Data classified according to policy.

Data created or destroyed.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? The security skills shortage is affecting every organisation – just look at breach trends in nearly every industry. The bad guys are winning, and we’re still trying to assemble a few good men and women to stop them.

Skilled security talent is difficult to recruit, especially those who have kept up with cloud-based technologies and innovations. It’s even more difficult to find cloud-skilled security engineers who also understand healthcare. This skills shortage in healthcare technology is a real issue. The industry is working to address it though. ClearDATA is a voting member of the Healthcare & Public Sector Coordinating Council (HSCC – healthsectorcouncil.org) and this group of several hundred healthcare organisations has been working to address the growing need for cybersecurity talent in the health sector as cyber threats and vulnerabilities continue to grow. The HSCC recently released the Healthcare Industry Cybersecurity Workforce Guide to help hiring managers and Chief Information Security Officers think about cyber workforce development as a continuum, from transitioning IT staff to cybersecurity responsibilities, developing and managing professional development programs for executive-track cybersecurity personnel, and outsourcing critical functions not otherwise resourced within the enterprise. I highly recommend hiring managers to review this well-crafted document.

Cybersecurity is constantly changing – how do you keep learning? Change is definitely a constant. We hire self-learners. That’s really the only way we can scale at the pace of innovation in our industry. Our teams subscribe to a myriad of learning platforms, and we make self-improvement a big part of a career path. Our partners Amazon Web Services, Google, and Microsoft are also innovating at a pace that many cannot match. We have to stay in front of that. So we study, we certify and we provide thought leadership to the industry.

One of my favorite ways to learn is to teach. If I’m forced to teach others, either through in-person or online training, or if I’m writing an industry white paper, that becomes a forcing function for me to know my stuff. The fact is, I’m surrounded by people way smarter than me. I learn a great deal from them each day too.

What conferences are on your must-attend list? In healthcare, HIMSS events are a must. My favorite events also include IAPP Global Privacy Summits and HSCC all-hands events. These are great because we have the opportunity to practice cyber events via simulations. Infragard puts on some great events too. Many in our company also attend or speak at AWS re:invent, Google Cloud Next, and Microsoft Ignite.

What is the best current trend in cybersecurity? The worst? We’re able to use emerging technologies (such as artificial intelligence) to better evaluate heuristic behavior in systems. This allows us to determine what’s normal, and what needs further review much faster than in the past.

The worst trend is an oldy, but a goody: people. Humans still present the biggest threat to cyber security. People still fall for that phishing attack, though, which results in data theft, ransomware, and many other issues. That’s why we work so hard to try to remove people from systems using cloud automation and remediation.

What’s the best career advice you ever received? Go where the hockey puck is going to be, not where it is. We started ClearDATA when no-one was thinking of the cloud in healthcare.

What advice would you give to aspiring security leaders? Learn how to communicate with business people. It’s not enough to know how to read sysflow logs. You actually need to be able to communicate complex topics clearly, articulately, and professionally.

On the personal side, I recommend that you wake up early to take care of yourself. You’ll need to be healthy and centered because a career in cybersecurity can be very stressful. You’ll need to be able to effectively deal with that stress.

Finally, be a lifelong learner. Be humble. Be patient.

What has been your greatest career achievement? I’ve been fortunate to be part of some really cool events in my life but by far my greatest one was having the foresight to launch a company focused on protecting personal data in the healthcare industry; founding ClearDATA.

Looking back with 20:20 hindsight, what would you have done differently? Looking back, I would have thought bigger at a younger age. I would have immersed myself in learning more about investment, finance, and business. I would have sought jobs that would have taught me these principles so that when I was ready to start my own company, I would have had more knowledge to draw from. I would have had more college fun when I was young. I wasn’t raised in affluent or privileged environments, so when I first attended college I often wondered if I fit in. This is a common problem actually for first-gen students – those who are first in their family to graduate college. While I was working labor jobs to pay my tuition, my peers enjoyed time to learn and play and it made me wonder if I really belonged; if I could make it work. Thankfully, I had the influence of a good friend who was affluent, successful, made the Dean’s list – he had it all. He treated me as an equal and it made me realise the only thing blocking me from my dreams and the change I wanted to make in the world was myself. I would urge any young person starting out in college or in their career to not have limiting thoughts about what they can do or what they deserve. Go for it all. You have a right to be successful if you’re willing to work hard for it.