In this episode, Mike welcomes Hugh Tower-Pierce, newly appointed CISO of Zocdoc. At the time of our interview, Hugh held the position of CISO at Oscar Health and shared thoughts on the importance of empowering and enabling security executives within organizations.
Welcome to In Scope, the healthcare security podcast. In each episode, we bring you insightful interviews, informative technical tips, and a unique point of view on the challenges facing the ever-changing healthcare ecosystem with host, Mike Murray.
In today’s episode of In Scope, host Mike Murray welcomes guest Hugh Tower-Pierce to discuss today’s landscape and look to the future. Professionally, Hugh has worked across a few different platforms and gives an overview of each, along with a brief background on who he is. Since he didn’t come from a healthcare background, Hugh shares some of the ins and outs on the differences and similarities that exist. Listen to his thoughts as he reminds listeners that this profession is in a constant learning mode.
Mike asks Hugh to share details on how the workflow of healthcare is being centered around digital records and why this is unique. Hugh discusses how this very aspect has changed his thinking in the security field. It is crucial to understand where data is and how it shakes out into the various different systems.
Mike says it is very important to understand the business that you are in, and Hugh certainly does! How does he work to understand the business model? How did he get the skillset that he has? Hugh shares his personal thoughts on these questions and his journey over the years. Security function exists for a reason, therefore we need to consider what this means in connection with other departments—there is both a technological and an operational impact.
The conversation shifts to look at how the industry is moving forward from here. How does Hugh see their role in security changing? With this ongoing evolution, Hugh shares about the security and risk management function and how the expectations of this field need to be defined for each individual company or organization.
Listen in on some key questions you should ask, including “what do I want my security function to do?” Hugh says that this will affect who you hire. He talks about what executives need to do to better consider the hiring process and how this might look different as companies evolve and grow. From startups, to early stage leaders, to organization scaling leaders, Hugh shares about the necessary transitions that take place. As the conversation draws to a close, Mike asks Hugh about the IPO process and what wisdom he personally gained from walking through this process. Do not underestimate the value on how much controls matter in accomplishing security objectives!
– Mike Murray welcomes guest Hugh
– Hugh introduces himself
– Similarities and differences between healthcare security and the rest of the industry
– Having all the “Crown Jewels” in one place, and how that impacts this field
– The importance of understanding the business you are in
– How Hugh got his skillset
– The industry moving forward
– “What do I want my security function to do?”
– How to teach executives to think well
– Stages of a start-up and communicating transitions in roles
– The IPO process and Hugh’s thoughts from walking through it
– Where you can connect with Hugh
0:00:02.7 Speaker 1: Welcome to In Scope, The Healthcare Security Podcast. Each episode, we bring you interviews, technical tips and a unique point of view on the challenges facing the ever-changing healthcare ecosystem. Here’s your host, Mike Murray.
0:00:20.8 Mike Murray: And welcome to In Scope this week. As always, I’m Mike Murray. And this week, I’m joined by a really cool guest who I met many years ago in a different life, and now he is doing one of the most interesting jobs in security as far as I’m concerned, and especially in healthcare security. So, today we have with us Hugh Tower-Pierce, the Chief Security Officer of Oscar Health. And formerly, many different things, but I’ll let Hugh talk about his background a little and give everybody a bit of an introduction. So Hugh, welcome.
0:00:49.3 Hugh Tower-Pierce: Thank you, Mike. Great to be here. And thank you for having me on the program. It’s an honor.
0:00:54.3 MM: It’s really cool to see you again and to catch up and maybe tell the audience about you. Who is Hugh?
0:01:00.0 HT: Well, fundamentally, I’m a husband and a dad. Professionally, I’ve been across a few different industries; Oscar, Healthcare Payer, we have some of our business focused on… A lot of our business focused on technology, our technology platform, and the insurance side of the business. Before Oscar, I was in finance for a while, I worked at Two Sigma Investments, another technology powerhouse, Fannie Mae, which was an interesting experience going through the housing crisis. I saw a lot of information security-related investigations and compliance-related work is just a great growing experience being there through the various adjustments in the industry.
0:01:40.6 HT: I spent some time attached to Norwich university, working for a consulting wing that was focused on the Special Operations community for the US military, and then before that in a few different places doing some IT support type work, which is essentially how I got my start and then as that grew, I became more specialized and more interested in information security and forensics, that kind of led into broadening that and eventually ending up with the honor of being at the Oscar as their CISO.
0:02:09.0 MM: And it’s a really cool job. I mean, Oscar has grown incredibly fast over the last few years, and really the thing that… And I said this to you before we jumped on, the thing that I think is most interesting about your background is, you didn’t come from a healthcare background and you walked into Oscar. And you come from finance and government and other things. How do you find healthcare is different, and how is it not different? For any of the listeners who might be out there thinking, “I wonder what it’s like to go work at a technology-enabled healthcare insurance provider.” Tell us what your experience has been. Do you have to learn anything? Did it challenge any of your assumptions? All of those sorts of things.
0:02:46.1 HT: As I’m sure you know very well, our profession is in constant learning mode, trying to keep up with everything that changes; the technology and business and regulations. And I think probably the regulatory area is a particular interest in terms of the differences. It’s an interesting question too. I’ve been talking to some folks around like how to design security functions and selecting CISOs. That’s a question that comes up often I think in trying to be successful in a company picking its security leader, like what type of leader do they want, with the background. And one part of that is, if the company is in a one industry vertical, should they be considering professionals from other industry verticals, like in my case, someone coming from finance and going into health care. And what does that mean in terms of being successful, and I think a lot of the learning that’s required is involved in understanding the regulatory impact. Like how you take… Understanding what the regulations say and then translating them into things you can execute on in the leadership position and in Oscar’s case, building out a lot of the programs that we have now and making sure they line up with those.
0:03:51.6 MM: Absolutely, and one of the things that I hear a lot when I’m talking to people about this sort of same topic is that the workflows of health care so being centered around the electronic health record and patient records, sort of change a bit of the security strategy and the opportunity. In most places, you don’t have all of your crown jewels in one spot, whereas in most health care organizations, the EHR is sort of the center of all of the stuff you’d wanna steal, I wonder… Does that change your thinking? Has that changed your thinking at all? Is that even relevant, especially with as fast as you folks move in terms of building technology around it. Riff on that a little bit, I wanna hear how your world is.
0:04:36.3 HT: Yeah, I guess the way I think about it with Oscar, we have a product that is in EHR ourselves. We also have a large portion of our technology focused on the insurance processing, insurance claims and member care for the insurance business. So understanding… I think really the key is understanding where the data is and how it shakes out in terms of the category. If you’re talking about our members, that’s a PHI, so understanding where the PHI lives. What systems that applies to both on the front end, like applications that it’s being used for some sort of value-add purpose for the member or for processing purposes, and then the back end as well, so you can have good controls around access and privileged access especially.
0:05:20.4 HT: And then also, you have in a health insurance company like ours and any company, you have employee information, which may not be PHI, but is certainly PII. And so, that also deserves protection, and I think you have to understand the difference between those two because they come with different controls requirements, different reporting requirements. And then making sure that you’re taking protected information and differentiating it from other types of business information, so intellectual property because Oscar as other companies has a set of information that is core to our business, that’s confidential. And then things that are internal, so our planning and all the way up to things that we publicly disclose. So again, I think it really matters how you look at it in terms of categorization and then making sure they understand for those categories where that information is and what kind of protections and controls apply to it. And then after that, it’s like it’s testing, you know, testing those controls and constant improvement.
0:06:17.4 MM: Hugh, you said something that makes me realize one of the things that I think’s so interesting about you as a security leader specifically, and I’d love to chat about it a little bit. Is from the very first day I met you, it was clear you’re a very technical guy and you understand the technology that you’re building, but anybody who listens to you speak should take note of how well you understand the business of the company that you’re in. And I’ve always thought that it’s really incumbent on a security leader to understand the business. And I just think it’s something that came out right there that you just did. And I think, I find far too often in our industry, there’s not enough people who really get that. And I’d love to maybe… How did you become so focused on understanding the business model?
0:07:04.6 HT: I appreciate the compliment, Mike, that you gave. I don’t think of myself as the most technical person. I look at my team and there’s some amazing engineers in my team, and I think of them as being very much more technical than I am, that they just have some amazing capabilities that either I never had or I left behind a while ago, it’s one of the things that makes us successful as a team. I think the key to being a successful security leader is understanding the business. In order to connect to the other leaders in the company, you have to be able to understand their pain points, understand where to plug in in their processes to add value, and then really for your own sake, understand what it is that you’re trying to protect as a security person. I think that that’s probably one of the things that is a focus area for people who are growing from an IC role or a management position in security into the lead position in the company, is really connecting with other business leaders. I think you have that insight as well as I do, but I think that’s the way I see it. It’s really key to being successful in a security leadership role.
0:08:10.7 MM: I completely agree. So, how did you get that skill set and how do we give that skill set to everybody else. What’s the training that we should go through? And maybe just the easiest way is how do you train the people beneath you to do that thing if they come from a very technical place?
0:08:29.3 HT: Yeah, I think asking yourself a fundamental question like, “Why do I exist in the company? What am I here to do?” The security function in the company exists for a set of reasons, operating in our own silo or vacuum is not one of them. I think we have to be connected to other parts of the business, and we have to add value, and we have to think about what the common objectives are at the end of the day across the business to make the company… Or the organization successful. And then think about what that means in terms of daily, monthly, quarterly behaviors, connecting with the other leaders and making sure you understand what’s coming, being plugged… I think part of that is being plugged into processes, like planning processes, architectural processes, so that you know what’s coming and you can be ready for it and giving advice early in a cycle rather than late where you might end up, as a security person, end up in a gotcha situation where you’re pointing out something that people don’t wanna hear because they’re so close to production or release or whatever the term is for the process.
0:09:25.7 HT: Those are the things. And getting there I think is a matter of understanding that’s a fundamental part of your job, taking the technical base that you have as a security person or an an engineer and bringing that with you as you move into these social connections and professional process connections you have to make with other people in the company, so that you connect, you end up being the glue. As a security function spans not just the technology parts of the business, but also operational communications, the strategic planning, you wanna be, as a leader, you want to be present in all those locations, this is something… I have a fantastic boss now has a risk background, it’s something we’ve been spending a lot of time talking about. I owe him some credit.
0:10:08.5 MM: I had a boss that had a risk background at one point. It was one of the most instructive couple of years experiences in my life because those folks can really help you think not just about security risk, but about the business risk as well. And yeah, I have a similar thing in my background and I appreciated it very much. I think I’m a much better leader for it. So with that, we were talking a little bit about how does the industry move forward from here, and I’d love to just sort of hear your riffs on that. As we come out of COVID, as the world kinda comes back.
0:10:37.6 MM: I heard somebody the other day say that the healthcare industry has gone through eight years of digital transformation in 18 months, and that’s true for some and less true for others. But how do we as CISOs and as security leaders, how do you see the role changing over the next few years, and how do you see the world changing as we come back, that is really gonna affect our world? Whether that’s threat landscape, whether that’s how we plan the business. Whatever your thoughts there are, but I feel like we’re in a time of transition, and I’d love to hear where you think we’re going.
0:11:08.6 HT: We were talking just before we started recording about some recent events in the media that are interesting in highlighting maybe the pitfalls. You can look at it as what are the constructive things, solutions going forward, and then what can we learn from the pitfalls that we’ve all experienced as being in a security role in a organization. And at least for me, that’s an ongoing evolution in my thinking, but right now, my thinking is that companies and organizations need to associate the information security or the security function in general with a risk management function and need to understand what it is they’re getting when they have a function in the company that does security and they have a leader for it. What is it that they’re expecting out of that, and how does that position integrate with the rest of the company? Which in itself ties back to what we were talking about a few minutes ago.
0:12:00.2 HT: I think that a lot of people in my kind of role find themselves with a lot of the responsibility for breaches when they occur, or the decision making up to the breach, but they haven’t been empowered to make any changes to prevent those. Or they provided the information, risk-related information, but that information wasn’t turned into action by other parts of the company. And I think when we start talking about those things, I think it gets to the heart of risk management practices and how organizations think about the role of security and how to level the function, level the leader in particular, because you see, if you go out and look for security leadership positions and companies in terms of job positions, you see them all over the map.
0:12:42.9 HT: You see some that are leveled as managers, mid to low level managers in terms of span of control, all the way up to people who are on the executive committee or leadership committee or whatever it’s called, in the organization. And in each of those cases, I’m skeptical about whether there’s been a lot of thought put into what that means; if it means that the organization is trying to accomplish a compliance objective by having the person in there or if they’re a very early stage company and they just need a set of engineering technical things to accomplish before they actually hire a leader into the position that will… A leader would come with, I think, inherently come with some large amount of impact across the organization. And so the expectations both for what the organization on the receiving end of a security function and leader gets, and also for the person who’s in that role, trying to be successful in that role, I think is really important. And I think we miss that mark quite a bit.
0:13:38.9 MM: I’ve seen far too often that decision isn’t made as thoughtfully as you just proposed, but it’s more based on, “Well, how much do I wanna pay for a security person? Okay, this much? Well, I guess they have to be a director in our salary bands.”
0:13:52.0 HT: Yeah, yeah. I don’t think people have any mal-intent there, I think it’s that people are just trying to get things done. Like the people who are responsible for this, whether it’s a CIO or CTO or whoever is the hiring manager, they have to get this done and they have a budget to work with. And I think you had those two things up and you have somebody in the position, and that is marked off as being done and you move forward, and then at some point that catches up with you.
0:14:19.5 MM: Yeah. And the thing that I think is so interesting, you just brought up something in my head that is a little orthogonal, but at the same time related, is that all of those people got to where they are by making good decisions generally, right. You don’t get to be the CIO or a CTO or a CEO of a company without having some track record of making good decisions that even when those people make decisions that may be somewhat questionable, there’s probably… It was probably not a terribly made decision at the time, in the way that they were making it, to your point. They were just trying to get a task done. But I’ve noticed that, especially in our industry, very infrequently is there the kind of thought around exactly what you just said: What do I want my security function to do?
0:15:01.0 MM: And if you know that you can hire the right team. And if you don’t know that, you end up hiring either, like you said, either I hire a really senior person who I really just want to be an engineer or I hire a really junior person and expect them to figure out really complicated business risk issues. And I think that I’ve seen too much of that in my career and I hope that we can fix that. So an interesting thing that comes up from that, how do we teach the executives, the non-security executives, the people who are hiring those security executives to do this, how do we make them think about this the right way?
0:15:35.5 HT: I think right now, we ask them to ask for help. I think there are people who can help with that. There’s some of the recruiting firms that specialize in CISO placements that are pretty good at helping flesh this out as part of the process, and that seems to have a lot of value from what I’ve seen. One of those firms has placed me. So I got to see that process of also seeing it in an advisory capacity as well. And one point you brought up there was who you hire, and a comment that I make is that… And I think this probably applies across disciplines, but that can be a moving target. And I think especially if that’s in any organization that doesn’t have a well-established information security function that has some tenure behind it, and so mainly I’m speaking about, I think this is the case for Oscar.
0:16:19.8 HT: Any company that’s in any part of the start-up phase or recently start-up, I think you’re talking about hiring somebody who will be doing one set of things on day one, but you want that person and you want that team that they may be building to transform into something else and maybe not too far apart. It could be a matter of, if you’re talking about an IPO process, it could be a matter of a year or two when they have to make a transition from… Across the board really. Building a function, building a team, and then also moving into a state of organizational existence that has a whole, separate existence as a public company versus being a private company. So that involves, I think, some additional thought into the person that you hired on day one. Can that person be the person you want to have in a year or two out or is that not gonna work?
0:17:08.8 MM: And this happens in all phases of the start-up; engineering leadership, finance leadership, sales leadership, those growth stages happen. And can you communicate to those people? If you had an early stage leader who now you need to bring in a leader that’s a little… That does different things. An organization scaling type leader, does the original person understand that or do they feel like they got demoted? There’s a lot of communication that has to be done to make that work well.
0:17:40.1 HT: Yeah, yeah, exactly.
0:17:42.9 MM: You mentioned the IPO process, and I know you’ve gone through it. And obviously, there’s a million rules about things you can and can’t talk about, but as far as it goes, it was the first time I think you’ve gone through the IPO process as the chief security officer. For all those other chief security officers at all the start-ups out in the world who hope that their used some day, is there anything that you want to impart as far as wisdom that you wish you had known about what you’ve gone through or that you wish you could have prepared for differently or just hang on tighter? Whatever advice you have. I mean you’ve lived a process that many people hope to live at some point.
0:18:19.6 HT: Yeah, yeah. I’ve been in both private and public companies, but I hadn’t gone through the IPO process before. There are certainly people in my role who have gone through it a number of times. I think it can almost be a profession, like a routine to go through it. My experience, very generally, is that it was… I think it’s made me a better professional in the end. It was very intense. We did it in a relatively short period of time, from what I understand to be a typical preparation time. It involved an amazing amount of multi-disciplinary coordination across the company. It really is a transformative event for just the preparation process and who it involves and who participates in it.
0:19:00.1 HT: Maybe one of the areas that I really valued was how much the process and planning is a reminder of the importance of controls. I think this is something, as security people, we always pay attention to very closely, but it’s nice to have a regulatory-grounded process that is very much focused on controls are important, and getting that message out to across the company. And it makes accomplishing some of the security objectives easier because there’s that incentive in the preparation process. So security was a priority before we were public, obviously, at Oscar, and continues to be so. So not a lot changed for us, but it was a great exercise in applying a fresh set of eyes with that lens of ensuring we have the right level of rigor for controls in place as we were thinking about operating as a public company from our private background.
0:19:49.0 MM: So Hugh, where can people find more of you? Are you speaking at any conferences? Social media? If I want more Huge Tower-Pierce, where do I go?
0:19:58.6 HT: I love to connect with people on LinkedIn. I’m doing a mentor program through one of my CISO colleagues who, she set up a mentor program. Not very active in terms of social media, but I always love engaging with people. I like… For conferences, I have been partial to the health ISAC. We’re a health ISAC member. I was active in the financial services ISAC before that, and I think they’re great organizations, so that’s kind of the conference that I like. I went to Black Hat a couple of times. It’s a good thing to go to Las Vegas. Las Vegas is tough for me for any extended period of time, mainly just because I like to run and running in Las Vegas is hard unless it’s four or five in the morning.
0:20:44.3 MM: Especially if you don’t love the heat. August in Las Vegas. It’s not November in Las Vegas when it’s actually a decent time to run. But, yes. So, Hugh, thank you again for coming on. This has been a blast. Learned a ton and I think it’s been a really great conversation. Love to have you back in the future.
0:21:02.9 HT: Yeah, thank you very much, Mike. Great to do this with you, I appreciate the time.
0:21:08.0 S1: Thanks for joining us for this episode of In Scope. To make sure you never miss an episode, pop on over to www.scopesecurity.com to sign up or you can listen on Apple Podcast, Spotify or Stitcher. And if you have ideas for topics, guests or technical tips, please contact us at [email protected]
ABOUT THE GUEST
Hugh Tower-Pierce is an information security risk-management executive with 19 years of technical and people management experience within Fortune 20 financial, asset management, defense contracting, non-profit, and consultancy enterprises. Hugh has demonstrated ability to build and mature information security programs, balance risk with business objectives, advise on strategic and operational solutions to technology risk, lead sensitive internal investigations, and develop high performing teams. His career focus areas include computer incident response, policy development and governance, computer forensics, threat intelligence, physical security, internal investigations, insider threat, security product selection, data leakage prevention, penetration testing, and eDiscovery. He has experience providing information security consulting when establishing new business areas, and representing company interests during security due diligence and regulatory reviews. He currently serves as the Chief Information Security Officer at ZocDoc.