Fred Kwong, CISO of Delta Dental is featured on episode 50 of HIPAA Critical.
Fred Kwong: Absolutely. Thanks for having me. My name is Fred Kwong, and I’m the CISO and AVP here at Delta Dental Plans Association. I've been with the organization for roughly about five years now.
And a little bit about Delta Dental. We cover about a third of the US in regards to dental insurance and dental wellbeing. I’m so happy to be here today.
Hannah: That's amazing. When I was doing some research about you, I saw that your education and your career paths are pretty different. Could you give us some information about yourself in your work experience and how you actually ended up at Delta Dental?Fred: I grew up through IT and called it “the school of hard knocks” of sorts. My career started at an organization that ended up being an outsourcer. I worked on the help desk for AOL. So this was, so for those of you that are younger, probably have no idea what I'm talking about.
Hannah: Hey! know what AOL is, okay?!Fred: Okay, but it was kind of a big internet company at the time, really providing that ISP service. I grew my career from working there at the help desk to then kind of being a network cable monkey if you want to call it that. And learning my way through networking, eventually, taking on server administration as well.
And then continued to grow my career through the infrastructure track of IT, ultimately moving into security and then becoming the CISO of Delta Dental.
From a schooling perspective, it’s kind of interesting. I initially went to school for computer science, and after doing that, for about a semester, I was like, “I'm not a programmer. I’m terrible at this.” And it really wasn't where my passion was, right? My passion was really around the hardware.
But at the time, the school that I went to, anything related to computers fell into two camps. You were either in computer science or computer engineering. I wasn't as interested in putting together circuitry and micro boards. From that perspective, I was more interested in the infrastructure side of IT: building computers and PCs, and those types of things.
So again, from a regular schooling perspective, it just wasn't fitting what I wanted to do from a career perspective.
I ended up leaving school, working full time doing these helpdesk roles, and then eventually, I went back to school, and I got my undergrad in psychology and professional communication because I always had an interest in people and behaviors.
And as you can imagine, working at the help desk, you hear and see a lot of different people's frustrations. And having that kind of background really kind of helps you understand where they're coming from, and how that you could service those people best.
Hannah: I totally agree. As someone who's not very tech-savvy, it is really nice whenever I have to call a help desk that they're just polite, and they explain things to me in a way that I can understand. So that's cool that your psychology background can definitely help you in your current position.Fred: Yeah, so from there, I went to do my MBA because I was interested in moving more into a management position with MIS concentration; I figured at that point, I really do probably need to put some sort of IT/IS type of degree under my name. So I had my MBA with the concentration.
Then through that process, I went through a leadership course, which really brought me to organization development; which is where my Ph.D. is out of. Organization for development, for those that are familiar with it, is really one way of looking at it is psychology for businesses or a group of people that can really help develop culture inside an organization.
And again, those things really fascinated me, especially with my undergrad background as well. Doing the things that I did in IT is not just technology. We all know there are also people and processes that go along with it.
So I followed that passion. Because I thought it was really interesting.
And so that's why my technology skill set is really from either certifications, my own reading, or “school of hard knocks”. My educational background is really more on the business side, or the understanding of people and how to really drive cultural change within organizations, which is really important as the CISO.
Hannah: I totally agree, because to make cybersecurity or security or IT fun or topical for your employees, you have to come down to their level. Many organizations see cybersecurity or being proactive or building a proactive IT security stack as costly and without a clear plan for ROI. How do you approach cybersecurity and IT security within your organization?Fred: When I built the program here at Delta Dental, I focused on risk management. The reason I did that is because risk is a language that the business understands. Whether it's financial risk, or operational risk or cyber risk, right?
Ultimately, if you think about what cyber risk is, it leads up to one of those other types of risks. You either have a reputation risk, from a brand perspective. Either you have an operational risk, in terms of an outage or unavailable, availability of systems. Or you have a financial risk, in terms of loss of data, loss of IP. And those can all be quantifiable.
If you're tying your security program with risks, you can actually speak the language that your executives speak. Help them understand where the ROI is when it comes to building out your cyber program. Work with them to build that; you don't want to do it in a vacuum.
So working with them, helping them understand how much risk that they want to accept. An ROI associated with the different threat vectors that could be associated with your organization is really key to making that program successful.
When you go ask for dollars, and you say it mitigates X percent of the risk associated with a financial, operational or brand risk. Those are terms they understand and are more willing to help support your program.
Hannah: It's all about speaking the language of your C-suite, definitely. What would you say is one thing that every security leader should start and stop doing?Fred: One thing that they should start doing, if they're not already, is making sure that they understand what your business is and what is it trying to do as an organization.
As a CISO, you really need to be a business thought leader, in helping to champion the products or services that your organization is performing.
With that, security is not the lever of saying “no”. It's providing the knowledge in terms of how do we do these things, in a secure manner. And yes, in a manner that is acceptable from a risk perspective. If we had no risk tolerance, our computers would be Mission Impossible-style. With toxins coming down into your room, all those things.
But the reality is, we all take on a certain amount of risk as an organization just to be in business. We need to make sure that our security program helps accelerate the business, not hinder it, when it comes to providing those products and services. But making sure at the same time that leadership is aware of the risks that we're taking on. I look at my role as more of a consultative role in that sense, in terms of helping them understand if we move in one direction, it will cost us this or move in another direction we're taking on a potentially substantial risk. Are these the right decisions for our organization, right, and helping them navigate or steer through those decision mechanisms?
Hannah: What do you say there's anything off the top of your head that you think that security leader should immediately stop doing? Besides sending faxes, maybe?Fred: I think the other thing is to stop hitting our executive team with useless key KPIs or key performance indicators. Things like if you're telling your executive leadership team, how many viruses that you “blocked” this month. This doesn't mean anything, right?
It doesn't mean anything to the executives. It actually doesn't really speak to what your program is doing from a risk perspective. Yes, you are mitigating some viruses, but it's more important to understand what's getting through and why. That's the internal statistic that I would use, but not something I would share with my board.
Hannah: That makes total sense. How, if anything, would you say COVID-19 change Delta Dental’s cybersecurity plan?Fred: We were fortunate in the sense that we were always an organization that was built with the cloud in mind. A lot of our technologies are cloud-based so they can work outside of the Delta Dental office. We were very fortunate from that perspective.
But what really did change is, number one, kind of my role of leadership, in terms of handling the pandemic. I feel as though the other executive leadership team looked for me to help provide that guidance because security leaders really had to have that discussion with the executive leadership team because we're used to handling incidents and crisis management.
These are things that, if you've been in the business long enough, you're used to firefighting, diving in and spending days on and figuring out solutions for complex problems.
And when it comes to the pandemic, right, we had to all kind of jump in and go, “Well, what do we do with our folks? How do we support them? What is the new look and feel of communication gonna be?” So taking those existing skill sets that I had, and bringing those to the leadership for the forefront, I think is one of the big changes that happened with me.
The other piece is we had to make changes to the way that our controls were, with everyone working 100% remote. That means that we had to lax some of our controls, such as allowing printing from home because no one obviously was printing in the office setting or if some things still need to be printed.
Then the other side, I would also look at how we had to make changes in terms of the way we communicate. We wanted to make sure that at Delta Dental, we were informing our employees of what was happening in the world, making sure that they were getting good data, not only from a security perspective but from a COVID perspective.
So I partnered with my HR counterpart, and we held a weekly town hall where we would discuss the pandemic. We would discuss, you know, different pieces of security that they needed to make sure that they were doing when they were at home. This was all to make sure that they were still productive and not getting false information.
Early on, there was a lot of false information about what COVID was or what it wasn't. There were a lot of threat actors taking advantage of that; putting up tons of heat maps, and those types of things. When our employees were getting the information from us, they knew it was number one, something they could trust, and number two, it was secure.
Hannah: Well, that kind of leads me into my next question, human error can be a cause of HIPAA violations or data breaches. Does your organization require or encourage ongoing cybersecurity training for employees?Fred: Yeah, absolutely. That is something that's not only that we have on a yearly basis. But we have monthly phishing campaigns, we also celebrate cybersecurity month. And then normally on a month-to-month basis, we do some sort of training.
And it's not just all security for the workplace, right? We also talk about security at home, as well. The reason we do this, and again, is really to help embed the culture of security. The mindset of security amongst everybody is if people are thinking about securing their bank accounts or securing their personal PCs, or securing their home routers, they're also thinking that when they come into the workplace. “What does security mean?” and things that they need to be aware of.
So we do training in terms of some of those home devices too, so that not only do they know what to do to secure at home, but they can use those same learnings and turn it around in the business sense as well.
Hannah: I've heard that piece of advice from many CISOs and many VP’s of IT. If you can train your employees to bring their work practices home and practice them there and then bring them back to work everyone will be more secure and your IT will be more secure.Fred: Exactly.
Then the other thing it does is it brings it home for people, too. It's one thing to think about securing your password for your email at work but if you're securing your kids’ health records or personal bank information, that really makes it real for them. That way, to your point, it brings it both ways.
Hannah: You touched on this a little bit when you said you have monthly phishing campaigns, but how does email encryption fit within Delta Dental?Fred: Email encryption is another important control that we have inside of Delta Dental. We use it for our sensitive information. So not everything has to be encrypted, but we train our employees to understand what should be encrypted.
The other piece that we have on top of that, something that we're also in the process of rolling out, is around this concept of digital rights management where we tag documents so that only certain people can view them based on the classification of those documents. Then with that same technology, you get the right to revoke documents as well.
Again, we don't always focus on the security side of that. We also focus on the business practicality of that. If you're doing things where you're sharing a document back and forth, and you know it's something that you're collaborating with a third party.
When you get to that final state, we tell our end users, “Hey, you can revoke all of the drafts, so that people don't get that mistaken for the final copy anymore”. Or if that final copy has an end date, where it's a contract that expires, we can also tag that inside the document “Hey, this is no longer valid.” Those capabilities.
So again, pushing not just the security portions of that, but also the practicality and how this actually can increase or make you more effective from a business perspective.
Hannah: That's a really smart idea. I tend to, maybe aggressively, kick people off of Google Docs after I have their sign-off, especially if they don't work within my organization. I don't want them to accidentally change something, or still have access to something. I'm sure it frustrates some people, but it's better to be proactive than reactive.Fred: There was definitely some hesitation at first. But once people get the idea and the concept behind it, they're like, “Oh, yeah, this makes so much sense”.
There are tons of use cases where this makes a lot of sense. Then they started using it for that. And it's not that you have to use it for everything because you can mark documents available to everyone.
Continuing to drive that message of security and business practice, definitely.
Hannah: When I was researching a little I saw that Delta Dental has a training or an intern program for IT desk and help desk employees to understand cybersecurity. Could you elaborate a little more on this program for our listeners?Fred: When I look at internship programs as a whole, I think it's a fantastic way for us to not only connect with our community but help build the skill sets that we need for the future.
If you think about information security, specifically, there's a deficit in terms of the amount of skill set that we need, from an industry perspective. So these types of programs really help us to build the skill sets that we were looking for in the next generation of folks coming up.
I had a recent discussion with some university students lately, and part of that discussion was “Get into these internship programs, they will help you find new jobs, they will help you decide which track you want to go in when it comes to either IT or security”. There are so many different areas that you can live in this world of technology, and it's not all technical, right?
A lot of IT is based on processes or technical writing. A lot of the IT skill sets change and you don't have to be super technical. There's project management, there are all sorts of different roles inside an Information Technology Group.
Helping folks go through that, or view and learning from the help desk is fantastic because you get to try so many different things. For me personally, coming from that route, I know for a fact.
Hannah: Exactly. So now on a little more personal level, I know that you are extremely busy. How do you keep up with industry trends or best practices?Fred: Well, I listen to podcasts like these.
Hannah: Ha, good answer!Fred: But there's a lot of training everywhere when it comes down to it. So I meet with the vendors, partners that I have and try to get a heads up in terms of what they're kind of thinking, their roadmaps and understand what direction they're taking.
I attend conferences when I can, either virtual or in-person, back before COVID. I learn from my peers. That's a fantastic place to also get connected is to make sure that you're growing your own network.
From that perspective, a lot of my peers helped me to really streamline my technology choices. If I go and ask, “Hey, you know, what are you using for endpoint detection and response?” then they'll tell me “Hey, this is what we PLC, this is what worked for us and what didn't work and why we chose XYZ.” That saves you tons and tons of time, right? When it comes to just tracking down which vendors you really want to kind of speak to.
Hannah: Oh, definitely. Word of mouth is the best research ever. It's a very underutilized avenue.Fred: Back when I was hired, I told my leadership team, “You're not just hiring me, you're hiring my network of connections that I have. So even if I don't have the answer, I know someone in my network will.” Right?
Hannah: Yes, I will shoot out a text message or an email and say, “Hey, who knows about this”, and I will get a first-hand answer for you.Fred: Yeah. That's why the beauty of connecting is so important. To have those peers that you can really have these types of conversations with, because it makes you a better leader at the end of the day.
Hannah: It does and it makes you a better employee, for sure.Fred: Absolutely.
Hannah: Well, thank you so much for joining me today, Fred. I really appreciate you sitting down with me. It was wonderful to hear about Delta Dental and about your background.Fred: Thanks, Hannah. Appreciate the time.
Hannah: Of course. For resources on HIPAA compliance, healthcare cybersecurity, or how to prevent a data breach, please visit paubox.com/blog. Our July social mixer is next Thursday! If you’re interested in attending this free networking event, please send an email to hannah@paubox.com . Don’t forget - Paubox SECURE is back in person this year at the Park MGM in Las Vegas. Join us on September 29th and 30th for thought-provoking discussions around cybersecurity in healthcare. Albert Prast , CISO of AdaptHealth is slated to keynote. Head to pauboxsecure.com for more information, early bird pricing, and to book your hotel. If you’re looking to sponsor or speak, please email hannah@paubox.com . As a reminder, you can listen to every episode of the HIPAA Critical podcast on paubox.com or subscribe via Apple Podcasts , Spotify , iHeartRadio , Stitcher , Amazon Music or wherever you listen. Thanks for tuning into another episode of the HIPAA Critical podcast; I’m your host, Hannah Trum, signing off.