Biotech Bytes: Conversations with Biotechnology / Pharmaceutical IT Leaders

Cybersecurity In Healthcare: David Fiore's Expert Tips For Data Protection!

Steve Swan Episode 17

Share episode

Discover essential cybersecurity strategies from expert David Fiore, who brings over 20 years of IT experience. Learn how to safeguard sensitive data in the healthcare and pharmaceutical industries. Please visit our website to get more information: https://swangroup.net/

Specifically, this episode highlights the following themes:

  • The need for a risk-based approach in managing data and cybersecurity
  • Real-world benefits of multi-factor authentication for sensitive data
  • Strategies for cost-effective information security in startup pharmaceutical companies

Links from this episode:

David Fiore [00:00:00]:
Is it better really to have a stronger central function and have leadership from the top say you will adhere to the requirements of the IT organization, of the security organization completely? Or is it better to have evangelists embedded within the business units? And I think it goes both ways, because at some healthcare companies, you need to have a data science or an epic application person working with the nurses in the hospital, because all the nurses can't be an application specialist on all the applications per se to the degree that a person working for an IT function could. So I think it depends on your industry and what you're doing.

Steve Swan [00:00:41]:
Welcome to Biotech Bytes. I'm your host, Steve Swan, and today I have the pleasure of chatting with Dave Fiore. Dave, welcome.

David Fiore [00:00:51]:
Thank you, Steve. Glad to be here.

Steve Swan [00:00:53]:
Sure. On Biotech Bytes, as I think we explained, we chat with technology leaders, we chat with about different topics within technology and understand where some of the trends are and get some of their thoughts and feelings on that. And I think today with Dave, we're going to focus on, or at least touch upon pretty heavily some of the cyber it security things. So, you know. But before we get into that, Dave, I was starting out just to get sort of a baseline on our guests. So just a little understanding of you and how you got to where you are and what you do today.

David Fiore [00:01:26]:
Sure. Thanks, Steve. Well, my name is Dave Fiore, and I started out actually as in system administration back in the nineties and the casino industry. And from there in so doing that type of work in the casino industry, it naturally had a security bent and an angle that way because you were always dealing with making sure that systems were safe, that they couldn't be tampered with, things of that nature. So as I progressed through that career opportunities started to present themselves more in the Philadelphia area. And that's where I wound up actually starting my cybersecurity career in the financial sector with banks and businesses in the Philadelphia area. Things you might have heard of, like beneficial bank, Cigna, healthcare, organizations like that. I've always been data agnostic because everybody has something to protect, whether it's financial data or healthcare data or, you know, pharmaceutical information, you know, things around intellectual property, things of that nature.

David Fiore [00:02:29]:
But, you know, we all have something to protect. So I've really enjoyed the last 20 years of my peer focused information security, data protection career here in this southern New Jersey Philadelphia area. And right now I am in between work. The last position I held was the corporate director of cybersecurity at Atlanticare. That was for just about a year, and then prior to that, for three and a half years, I was the senior director of security operations at Planned Parenthood Federation of America.

Steve Swan [00:03:02]:
Very good. Thank you. Thank you. So one of the things that I found pretty interesting in your background and what I'd like to maybe start with is you've held both the moniker of the CISO and the moniker of the title of the CIO. So you kind of know sort of both angles and sort of what's needed, right, from an it perspective when it comes to security, because you can look at it as a Ciso and you've seen it as a CIO. Right. So, you know, and I don't talk to a lot of folks that have that kind of, you know, pedigree in their background. Tell me what you, you know, what your thoughts are not on having both titles, but more on from a technology perspective, you know, from those two interacting together and what they need to be thinking about.

David Fiore [00:03:54]:
I think it comes from my background coming up through system administration. I was never the network guy or the security guy. I was more of the application and system person. And so I always had to make sure that things were up and running and accessible for the business areas, whether, you know, accounting, marketing, things like that. And so as I started to progress in my career and I wound up actually, ironically, wearing a CIO hat at a pharmaceutical company, I already knew what was important to the business. It wasn't, you know, putting moats around things and things of that nature. It was availability. And making sure people could do their jobs was what was important for the business.

David Fiore [00:04:34]:
And as a CIO, that should always be tantamount, I'd like to think, because, you know, we're not going back to typewriters, we're not going back to green bar paper, handwritten ledgers. Everything is electronic, everything is through a portal, everything is through some sort of service, whether it's SaaS or Das or whatever the case may be, whether you create your own applications, purchase them, whatever. Again, whatever the case may be, it's that availability that is important and should be tantamount to what the CIO thinks about. Because when those things are down, something is going to happen. And that's where the information security data protection area comes in. Because when those things are down, you're either losing money, you've been breached, or you're having a situation where you now have a reputational concern or you have a financial concern, things of that nature. So wearing both hats for me at a pharmaceutical company was actually very good because I got to see both sides of that, especially around the interplays with CFO's and CEO's and budgets and the importance of not putting an expensive moat around something that really doesn't need to be protected because the value isn't there versus having something that's high value and forgetting about to protect it, that type of situation. And so being able to balance that, being able to do the risk analysis to really know where to put the dollars, I learned that from wearing my CIO hat and my CISO hat at the same time.

Steve Swan [00:06:04]:
Yeah, you had talked about that with me in the past. I remember one of our conversations where you started talking to me about Steve, everything's got a cost, so you got to evaluate the cost. What do you want to spend versus how secure do you need it? If you could spend a gazillion dollars and everything could be super secure, but do you have a gazillion dollars to spend?

David Fiore [00:06:24]:
You probably don't and that's a big concern nowadays I think with a lot of CIO's because things are so opex, you're giving your money to Microsoft every month, every year, so that people can have productivity tools to do the work they need. Now does it make sense to throw everything into that one basket or does it still make sense cost wise and operationally to have the security side carved out with other security vendors or things of that nature? And that's where I think the CIO and the CISO have to get together to understand what's the value there overall. Does it make sense to have crowdstrike and proofpoint and Office 365? You know, what is it, like three reals or whatever lower level of Office 365 there is for business? Or do you really want to go five reals or even beyond and just throw everything in with Microsoft? And that's where I think a lot of people need to still throttle back and figure out where a lot of those companies are. But that's the type of thing you need to think about because at the end of the day you're spending opex money continually. I've seen some comments online and some articles online. I don't know if you've seen them lately, but people are now seriously starting to think about going back to creating their own hosted data centers and running certain aspects of their business in house so that they're not paying Amazon a large monthly fee for AWS or Google for GCP. They're actually going to companies like I don't know who's a big hosting company anymore, like Tierpoint or, or who was that one company that was always hosting websites that had insanely devoted salespeople and rockspace, for all you know, if you need a bunch of virtual servers running and you have the technical folk to actually do it well and secure it, maybe you could run everything inside again and it might be cheaper than running things on AWS. You don't know.

Steve Swan [00:08:29]:
So what you're saying is bringing it in, because I haven't read this, bringing it. So going well, it's always cyclical, right?

David Fiore [00:08:35]:
Everybody wanted to go to the cloud because they didn't want to have their data centers, the cost, the air conditioning, the real estate, all that stuff. And they also didn't want to have the overhead with staff, because when you have a data center, you need operational people to run the data center, and you might need them 24/7 so that type of thing, and having the cloud, that reduces that type of expense. But as we all know, cloud costs have kept going up. And so people are trying to do multi cloud and maybe run certain things in AWS, run certain things in Google, run certain things in Microsoft. But there have been some articles in the last 24 months about people saying that, why can't we just go, why don't we go back the other way and see what the cost would look like to drive, try to do our things, try to do things ourselves again? And it's interesting.

Steve Swan [00:09:28]:
Are they fine? Did the article go on to say.

David Fiore [00:09:30]:
What the, some companies, especially companies like, you know, where their business model isn't necessarily high security or there's a lot of risk, like for example, I've had some friends in the advertising space where they've gotten tired of hosting all of their images and everything up in, in Google or Microsoft or where theyre paying money and theyre just buying the disks and the things they need to do, put them someplace like rackspace, build up a virtual environment and just save everything there, and they dont have, that becomes a capital expense at that point, and they dont need to worry about the ongoing expense for storage because storage, hard drives are cheap, that type of thing. Even now, solid state drives are cheap, and if you do it the right way, you can have the level of redundancy that you need, Preston.

Steve Swan [00:10:20]:
But us in pharma, right?

David Fiore [00:10:23]:
Yeah, when you run pharma, yeah, but.

Steve Swan [00:10:26]:
Us in pharma, we've got that high, that need for that real tight security, right. Especially with our formulas and our data, right? Are there any tools that you think that are coming along that are going to make this more cost effective or is it just a matter of the cloud providers?

David Fiore [00:10:48]:
I think it comes down to a matter of the cloud providers, because the tools being able to do good security in depth has always been available with the tools that we have right now. And the tools we have right now are always getting better. Firewall companies like Paulo are always getting more advanced. Endpoint protection companies like Crowdstrike and Sentinel one, they're always getting better at what they do. But if you can create that into a capital expense or use those inside to create your own, is that going to be cheaper or the same? Or it comes down to what level of control that you want as well, versus putting it out into cloud. When I worked at Oroko, we were a cloud first company, meaning that we used Microsoft, we used 365, we used Okta, we used Viva systems, we used companies so that we were using their products, their systems through their portals, so that we had very little on Prem that we had to worry about. Did we have information on Prem? Yes, we did. We were vsphere VMware shop.

David Fiore [00:11:59]:
We hosted at Sungard. We had failover between different Sungard nodes, but we wanted that because that's where we kept our intellectual property. You know, we didn't keep our intellectual property in 365 in a SharePoint site, etc, etcetera, or, or with our, you know, with, in other places where it really shouldn't be like, you know, box enterprise. We were a box enterprise customer as well. We like to keep it close to hand so that we always knew where it was, and we had security controls and agents on our machines that would let us know exactly where that data was based on how it was used, how it was tagged, things of that nature. You can do that now, all with 365 reals, or whatever it is through sharepoint controls and all those different things that actually works. Were testing that out at Atlanticare at the time. And if you are logged in with your Microsoft id and you were set up so that, you know, you could only save to an Atlanticare sharepoint site, that's the only place you could save, you know, you were not able to save locally, you know, on another drive, you only could save to that site that really wasn't available five years ago.

David Fiore [00:13:14]:
You know, we had to use things like Digital Guardian and other products out there that would give you that data protection type of service, you know. But yeah, at Oroko we were, we kept our intellectual property close to the vest and we did not. We always knew where it was, and we were very leery of sharing with anyone outside of the people that we actually subbed, you know, Catalan, companies like that to actually make our product. Because we didn't make our own product ourselves, we used companies like catalytic and others to do that for us.

Steve Swan [00:13:50]:
Now, I've had people talk to me about actually creating a data security function completely separate, on its own, maybe a subset of security or on the site. What are your thoughts on something like that for a biotech or pharma? Do you think that's overkill?

David Fiore [00:14:07]:
It could be. It depends on how big your company is and how you want the program to be perceived. So, for example, we did something like that at Planned Parenthood. Actually, I can talk very briefly about that, because at Planned Parenthood, information security was a product that we provided to our affiliates from the national office. And the reasoning was, is that the national office had the funds and the wherewithal and the staff to provide information security for the northern New Jersey Planned Parenthood affiliate or the Northern New York Planned Parenthood affiliate, because those affiliates have a CIO that's under the gun to keep the clinics up and running, and they might not have the time or the staff to actually focus on information security, in which case then they'll say, hey, national office, we will use your information security program to protect our environment. And so in that case, what we were doing at the national office was spreading a system of protection that was widely, you know, accepted and actually quite revered. Because at the end of the day, I believe by this time, you almost have all the affiliates across the nation within our information security program at Planned Parenthood. But if you're a big pharmacist, think about Pfizer.

David Fiore [00:15:27]:
I think that's exactly what Pfizer does, because they have a separate information security function, data protection office, and they make sure that all of the affiliates that do business with Pfizer adhere to the Pfizer standards around cybersecurity, around vendor risk, all those things, so that it's evangelized from a central point. Comcast does that as well, because they want to make sure that anybody that's developing for Comcast or NBCUniversal or Comcast affiliates is getting the directions and policies and best practices around information security from a central source, you know, so I.

Steve Swan [00:16:06]:
Think, yeah, well, otherwise, yeah, well, otherwise they can infect the systems. Right, right.

David Fiore [00:16:11]:
Otherwise you have people doing security in a vacuum, what they think is best, you know? Oh, we, we know that our product is good because we've been using this code scanner. You know, our developers know all about that. Don't worry about it. They're going to use what they know to make sure the code is secure? Well, that isn't necessarily the standard of the organization. You really should be licensing seats to use the code scanner or the application security product that the corporate office requires and recommends and things like that. So we've all seen centralization and decentralization waves within it. Where we are right now, overall, I don't know if we're at a peak or a trough. I think we're in a middle right now because I think we've seen a lot of organizations try to do a little bit of decentralized evangelizing of information security with business information security officers being embedded in the business, reporting back to the central information security function.

David Fiore [00:17:16]:
But is it better really to have a stronger central function and have leadership from the top say you will adhere to the requirements of the IT organization, of the security organization completely? Or is it better to have evangelists embedded within the business units? And I think it goes both ways, because at some healthcare companies, you need to have a data science or an epic application person working with the nurses in the hospital, right? Because all the nurses can't be an application specialist on all the applications per se to the degree that a person working for an IT function could, you know, that type of thing. So I think it depends on your industry and what you're doing.

Steve Swan [00:18:05]:
I do get some of the technology leaders that would come to me and they say, you know, I need a cyber, right, I need security, but I don't want it to your point to get in the way of business, right. So how flexible do we want to be to your, you know, if it's coming from the top and the tamborn it down and they're just saying it's this way or the highway, that could adversely affect business. But if the person's embedded in business and they understand what business is doing, and they can make sure that ends.

David Fiore [00:18:34]:
On the business, because honestly, the business should always take a risk based approach, right. You know, that part of the business isn't touching customer data, patient data, intellectual property, things that are high risk, then they might have more leeway with what they can do, and they might have more leeway with how they can interact with vendors or other things. But once they get to that portal or that bridge or that crossing point where they need to share confidential data with a vendor partner, that's when somebody really needs to focus and say, well, and really just a person to person conversation and just ask for the right questions. You can do that through forms, etcetera, etcetera. But at the end of the day, if you've been evangelizing data protection, Cigna was very good at this. If you've been evangelizing data protection for years across the organization, then you might wind up having an organization that treats information security as a business partner. They know, the business units know to go to data protection and ask, hey, what's the policy around this? Is it okay to do this? And someone in data protection will say, yes, you do know the policy. That's exactly the policy.

David Fiore [00:19:51]:
You're doing the right thing. Thanks for asking. Go right along your merry way and keep doing what you're doing. But in some cases, somebody might ask, we need to, we have an emergency. We have to put production data in a non prod environment to do a test really quick. You know, what can we do? Well, data protection shouldn't say, no, you can't do that because there's a business situation there, right? They need to get this application up and running in a week, and they still need an amount of data to do testing, but it has to be production data because they can't get it masked in time. Well, what do you do? Well, a good information protection person would ask, well, how much data do you need? Do you need 10,000 records, or could you make do with 100? How many people are actually going to see the data? Are they all employees? Are they all onshore? Are any of them vendor partners or offshore developers? And if you whittle all those questions down to a function to say, it's a time bound situation where you're going to do this thing that might not be within policy, that's an exception, it's time bound. You have the people do it, and when it's done, you get the data out of production and you go back, you, the situation is fixed, and you're in a good situation now, those people know in the future, if they need 10,000 records, they go to the data masking team and they get that information.

David Fiore [00:21:08]:
That's not information protection. That's some function of it that helps developers get the data they need to do the testing they need to do in non product environments. So that's what I love about information security and data protection and all that stuff, because you get to talk to people and cajole them into doing things the way they should to protect the things that need to be protected, and to think about things that might not be, need to be protected in a way so that if they ever get to a situation where they know they feel leery, or they need a question, they know where to go to ask those questions. It's never a closed, never be afraid to talking to your information security people at your company because at the end of the day, you know, they're there to help. The years ago when they were the department of no. Or whatever that was back in the day, that's not, that really isn't the case anymore. You know, there's. Yeah, I mean, at least I like to think so.

Steve Swan [00:22:06]:
It may still exist. I don't know. You know, I've spoken to folks on the phone and such about this. And, you know, one of the things, I'll give you an example, and I won't name name, but a company that we work with locally, you know, decent sized company, several billion in sales. Their data security folks are trying to get a, you know, bunch of practices and policies in place, but they can't get anybody at the top to say, okay, the buck stops with me when it comes to data. You know, they're tracking who downloads what, when it leaves their four walls, you know, the whole thing, everything you talked about, right? Figuring out who's doing what. But, you know, if someone does something silly, maybe a chat GPT mistake, who knows? Whatever data leaks, who owns it, what happened here, who does it, and all the top brass like, no, not me. Not me.

David Fiore [00:22:52]:
The business owns it. And so who in the business is responsible for those types of things? It's either legal compliance or corporate operations, right. Or compliance and pharma. And pharma, it was always compliance because compliance and legal. Usually compliance, legal and infosec were like this in a pharma because you know, those, you know, if you have a person that's taking intellectual property away from Pfizer and selling it to China, who's involved? Compliance, legal and infosec, because they're going to wind up finding that employee, bringing charges against that employee, probably bringing in the FBI and the federal government and do those things that they need to do to prevent that from happening or to actually stop that. Now, what you're saying is that where does the buck stop? The buck stops with the business leaders. And you really can't have the CIO or the Ciso be the fall guy. If they're going to be the fall guy.

David Fiore [00:23:55]:
They need more people to hang together with, like the chief legal officer or the chief risk officer, which, of course, then brings up the idea, why can't all those folks get together and create a working group or a center of excellence? That's always a popular term, right? And actually create a center of excellence around data protection so that they know what kind of data can be shared, that they classify the data. If you share this, it gets out of the four walls, no problem. It's the same information that's in a phone book. It's publicly available. But if you share this, this and this, that is a problem, because now we have New Jersey breach laws, we have national breach laws, we have HIPAA, we have concerns we have to be worried about, know the difference, train against it, get HR involved so that they can actually have training and awareness, or have your own infosec people do training and awareness around that. Training your people really does help because it gets people to really question what they're doing sometimes once they've been inoculate, you know, indoctrinated with the training for a while. You know, hospitals are like that a lot because whenever you go to a doctor's office, you see the information security things on the wall and the waiting room. You know, make sure you lock your workstation, make sure you don't, you know, make sure you don't talk too loud, you know, make sure you discuss only the pertinent things with your patient.

David Fiore [00:25:21]:
You know, those types of things. We would always have people asking us at Infosec, is it okay to do something. When I was at Atlanticarez, you know, is this okay? Is that okay? Which is good, because you want people to come to you and not make a decision in a vacuum on their own type of thing.

Steve Swan [00:25:37]:
So, well, with your training, like you said, you know, once they've been sort of trained up, I mean, you know, what you can, most you can hope for is, a, they do the right thing, but b, if they don't do the right thing, at least get them to hesitate and think about, what am I about to do? How's this going to affect somebody? And if they don't know, make the.

David Fiore [00:25:55]:
Question, you know, at the end of the day, if training fails, you have to have compensating technical controls. You can't just put all your eggs in one basket with training and not have endpoint detection or not have data loss prevention, or not have all these things depending on your industry. Pharma, again, is interesting because a lot of people were always concerned about marketing materials, where to store them and how to, you know, how to handle that. And we were a Viva customer and had a lot of things there. But at the end of the day, once you get to a certain point with pharmaceutical marketing materials, it's all public knowledge because it has to go through approval by the people that tell. Who is it? Is it the, what's the department of the federal agency? You know, if you're, there's a federal. For healthcare for pharmaceuticals. It had to.

David Fiore [00:26:57]:
Not the Department of. The Department of Health. I can't think. You're going to have to edit this whole thing out. But, you know, people were concerned, oh, my God, if this pharmaceutical information gets out. Well, wait a minute. No, this is all public knowledge. This is the, this is the glossy that's going to go into the magazine about the drug.

David Fiore [00:27:12]:
So you don't need to protect that. You know, you want to put that. Now put that in box.

Steve Swan [00:27:17]:
The sunshine act and things like that. Right.

David Fiore [00:27:19]:
You know, sunshine act. Or it was the other thing. The Food and Drug Administrations. The FDA. Yeah, the FDA had requirements around what you can have in a pharmaceutical advertisement describing the drug. Right. You had to have all the reactions, all the tests, you know, all that stuff. Well, once all that stuff is in the final copy, that's all public information.

David Fiore [00:27:40]:
So don't, don't freak out about that type of stuff going into enterprise Dropbox or enterprise box to share with your ad firm. It's okay, because it's public information at this point. Now, the tests and the patient reactions and all those things that might be able to identify patients who are taking our drugs during a test phase or a trial phase, that needs to be protected. Right. Because that can't get out. Because if that doesn't, you might have somebody's information about a cancer drug they were taking that had adverse effects that caused, you know, whatever. That's not publicly available information. That's protected health and care information, you know, so that, so pharmaceutical companies pretty much have this down pat.

David Fiore [00:28:31]:
And that's why startup pharmaceuticals were kind of fun, because everybody in a startup pharmaceutical came from a big pharmaceutical. They have a new drug they want to start up and make money with, but they want to do things in such a way that it's not as expensive as a traditional pharmaceutical company and maybe do things newer and cheaper or better or faster. And that's where it was fun being on infosec in that environment, because you got to help people figure out the best way to protect things at, you know, with the best risk ratio, etcetera.

Steve Swan [00:29:05]:
The money risk ratio. Right.

David Fiore [00:29:07]:
Exactly. That is the last thing a startup pharmaceutical wants to do is have the costs of a traditional pharmaceutical for a.

Steve Swan [00:29:13]:
Small one, for a small pharma startup. Right. I just asked it this. It just came, you know, is there a. And you don't you don't have to even answer this or give me an answer. Right, if you don't have one. But is there a vendor that they should call that does these kinds of things, specializes in the small farmers, or is that something that you got to rely on your internal folks like yourself for? Because you're there, you're living it. You've done it.

Steve Swan [00:29:36]:
You've been at the big pharmas. Yeah. I mean, it's something that the internal folks need to do.

David Fiore [00:29:41]:
When it comes to hospitals, yes. There's companies out there that specialize in doing security for HIPAA, regulated entities, doctors offices, know, doctors clinics, healthcare systems, hospitals, things like that. When it comes to pharmaceuticals, I am not that sure because that's more of a specialized thing. As we all know, there's plenty of enterprising business people that want to solve a problem that a person might have. And so that you've heard of companies like viva systems or outsourcing your entire sales force so that your sales forces, essentially, you're leasing a sales force, and so you don't have, you know, you don't have HR obligations, you don't have all those different things. That's the other company. That's the other company's problems. You know, there's things like that for certain things which we took advantage of, but when it came to it and information security and things like that, it was mainly done through good third party, local business partners that might be either regional or not national.

David Fiore [00:30:47]:
Because if you're a small startup pharma, once you get to, like, a national partner like CDW, and CDW is great, but CDW might be too big for a small startup pharmaceutical. You might want a more regional, you know, player per se, and that goes with Infratech as well, you know. But, yeah, when it comes to, like, when I think of companies that do things like this in, in the hospital space and the healthcare companies like Clearwater come to mind, there's another company that we worked with. I can't. Oh, I just thought I'd ask. Yeah, there's companies out there that do this, but when it comes to startup pharma, it's a little bit more rare, I think. But that's where having your leaders in legal compliance, etcetera, in your startup pharmaceutical, they remember all this from big pharma, most likely, and they realize that they have to do certain things in a certain way in order to move things along through clinical trials, through FDA approvals, things of that nature. It would be a good spot for a de novo it firm, a little niche spot.

David Fiore [00:32:00]:
Need to think about that. Steve, that might be.

Steve Swan [00:32:03]:
Yeah, sure. Absolutely, absolutely. So, you know, I always like asking folks when I'm talking to them, right. Because everybody's got a different angle on, you know, growing, mentoring their employees, growing their team, however it is, right. And the one thing I like to ask folks, right, it leaders like yourself, what makes the working for, you know, Dave Fury experience different or better? What do you do? Why would I want to work for you? Any thoughts around that? Is there anything that you say you do unique than others?

David Fiore [00:32:35]:
Yeah, that's been sort of my career because I've always gotten the same feedback from staff and coworkers that not to say, you know, always do what your mom said, but just be genuine, show empathy, have a concern, ask about how they're doing, and then from there, you know, how they're doing at home, how they're doing personally, how they're doing at work. Make the work question the last one, you know, versus the first one, you know, make it about them. Because at the end of the day, if you don't nurture your staff and care for yours, you know, if you don't help the people around you that help your organization do what it needs to do to excel, you're not going to have that organization. You know, you really do need to care about people and make sure that they but do have the resources they need. They're not working at 140% that they do have coverage. That's one of the things that always baffled me when I used to work in certain industries, that you would try to do certain things from a service perspective, but not have enough people to provide the service. And then people wonder when things get dropped or things get missed. Well, you have only one person trying to cover three shifts, so to speak, or that one person has no backup.

David Fiore [00:34:03]:
So what happens when they need to go on vacation or their wife or their kid gets sick or whatever the case may be. And so thinking about that always made me think that when you work with business partners around staff augmentation or you're going to work with an MSSP or a service provider, really make sure that they're going to help your staff and make sure your staff sees that as something that's helping them, because it is. You're not getting an MSSP or a service provider to get rid of staff, to get rid of your core individuals, because your MSSP or service provider, they don't know your core business, they don't know the ins and outs of your organization. Your staff do. So always make sure that they understand from your perspective as a leader that they're the most important people in the room. And listen. You really have to listen. And that's why I always start with, how are you? How are things? And listen to that, and then eventually get to the one on one discussion with where they are with projects or how are things working? What roadblocks are they having that you can help move or get work through? Things like that.

David Fiore [00:35:23]:
I'm not trying to say be a servant leader because that gets bandied about a lot. Because sometimes when you're a servant leader, that means who helps you. At the end of the day, you're going to get burned out because you're so servant. You know, that's, you'll, you know, sometimes you need to be the first person on the airplane to put on their oxygen mask, right. That type of thing in order to help other people put on their oxygen.

Steve Swan [00:35:49]:
Masks, I think listening, right? Like you just said, in any circumstance, right. In a lot of things, you listen, then you understand. I always call them drivers. You understand what someone's drivers are. You understand where they're going, what their goals are, what their thoughts are, what they're looking for, what, what their drivers are, what's, what's going to get them from a to b, or what they need to get from a to b. And, you know, if you do that through, through your interview process, maybe their drivers don't match your drivers of your organization. Thank you very much. Right.

Steve Swan [00:36:20]:
But as they work for you, you continue to, like you said, build that rapport, build that relationship.

David Fiore [00:36:27]:
Right. You learn about the drivers that make them, they need. And that goes not just for your immediate staff, but also for business leaders and other departments, business leaders and other functions. You know, you, you need to be able to listen. You need to be able to tell stories and listen to stories, you know, really well and then synthesize, you know, what you just heard or where you need to go based on those stories. That's something that I've always been very good at, I like to think.

Steve Swan [00:36:54]:
Yeah.

David Fiore [00:36:55]:
You know, I had a, I had.

Steve Swan [00:36:56]:
A company once call me, and they were building their it department. It was a small company, small biotech that was opening up their us operations here. And they already had going in Europe. And their head of HR called me and she said, we need to talk on Zoom for like an hour. So we talked and talked and talked. It was probably 40 minutes in. And she says to me, you're our guy. I said, excuse me.

Steve Swan [00:37:23]:
She goes, we need a, because it's a small company. They said, we need a storyteller. You're a storyteller. I'm like, I didn't realize I was being interviewed. It was good. It was good.

David Fiore [00:37:38]:
I mean, but that's, I think, I like to think that most leaders, at certain points in their career, they realize that they have become, or maybe always were, but now it's self evident that they are people, that they are people, people, you know, people pleasing people, people helping people, personable folks of that ilk. That's probably what organically got you to be where you are now. If you were always an introvert or if you were always very good at something extremely singular and difficult, you might be so focused on that, that you would always excel at that. But you might not move into, you know, a management position. Like, for example, I have, I've had many friends that love software development. They never want to leave software development, and they always want to be software developers to, and that's, and that's great. They never want to be a supervisor. They never want to be in management.

David Fiore [00:38:40]:
They never want to do those things because they're love in the life is helping to help people solve problems, solve problems through software and systems and creating things that solve those problems. They never want to be taken out of that role and say, okay, now you have to manage six people, six other software developers, that type of thing. They're like, no, well, that's the only way you can increase your salary or move up or, oh, well, why can't we talk to HR and figure out how to restructure that? So that if you want to be a software developer, you can stay in that track and just progress and have a career doing that at this company. And sometimes people will say, oh, well, gee, we never really thought about that because the only career track was, you know, analyst, supervisor, manager, you know, director, AVP, VP, that type of thing. So. But which is why, again, listening to people and to their wants and goals and where they want to be and trying to make that happen, I think, is the mark of a good people person, a good leader.

Steve Swan [00:39:44]:
Agreed. Agreed. Yeah, agreed. Well, cool. Well, thank you. This was great. This was awesome. So I have one last question that I didn't tell you about.

Steve Swan [00:39:55]:
Right. But before I get to that, anything more that you want to add on these subjects that we hit on that you think we did?

David Fiore [00:40:03]:
Well, I mean, I'm trying to think of things in the news right now. You know, at and t had that breach. Google is buying Wiz that's going to be interesting, I think, because I think that's a great.

Steve Swan [00:40:15]:
Well, so let me ask, can I ask you about that?

David Fiore [00:40:17]:
Sure.

Steve Swan [00:40:18]:
So Google buys Wiz. Google's already in trouble for any competitive issues if Google buys whiz. Whiz is traditionally, from what I'm reading, is attached to AWS and Google as a cyber tool, if you will. Why isn't Google just going to make it only compatible with GCP and be done with AWS? They're just going to get in trouble again if they do that, right?

David Fiore [00:40:44]:
They're not going to do that, Steve, because of what we talked about before, about people trying to be cost effective, customers trying to be multi cloud. Got it. We're going to be. Because then they can, they control the pricing structure. But if Google says, oh, well, if you want to run your application in AWS, but you want your data to be stored in GCP, Google would love that because. Oh, because our storage costs are much less. So store all your data, run your snowflake instance, or whatever the case may be, use that for GCP, or use GCP for that, and then run your core application in AWS. And as it gets hit and needs to add processors, that'll all happen in AWS.

David Fiore [00:41:31]:
Your data will get saved in GCP, that type of thing. So they're not going to close things off. And where Wiz comes in, Wiz is very good at correlating all the things that happen across those environments. So you can tell if you have a situation with cybersecurity or a situation with performance or a situation with misconfigurement with configuration management, because that's the big thing. Most companies don't have as many people to make sure that configuration management and change management is where it needs to be, because they might only have one or two people handling the whole setup of this thing. And so having a tool like Wiz or other products that are out there similar to Wiz, helps you fix misconfigurations in your cloud products, you know, so that you don't have any holes or, you know, concerns. So. But I think that's gonna be a, that's gonna be an interesting win for Google.

David Fiore [00:42:28]:
The other thing that sort of is interesting is that, you know, what was it a year ago? I think Cisco bought Splunk. That's gonna be interesting to see how that plays out, because Splunk was always a unique thing. Wherever you just give them the data and they will tell you what's going on with it. And if it's going to be, you know, people were using Splunk to monitor, you know, temperature systems in laboratories and try to get trending analysis and things like that. You know, things that really weren't related to cyber or things that really weren't related to it, you know, engineering aspects of things people were using splunk for. I'm wondering how much more. I'm wondering if it's going to still be available for that type of usage. I'm thinking now that's been purchased by Cisco, or the licensing is going to change, or, you know, splunk volume compute is going to be the same as it was, or it's going to be different.

David Fiore [00:43:31]:
That's interesting.

Steve Swan [00:43:32]:
You know, Wiz and Splunk aren't direct competitors, right?

David Fiore [00:43:35]:
No, they're not. Splunk is like, it's a data collector for log aggregation events, things of that nature. Wiz is more configuration management, event correlation. There's a little bit of overlap, but it's not a direct competitor, ever. A company called Datadog, data dog and splunk, or elastic splunk, they're more types of direct competitors with them. Wiz has more cloud configuration management and stuff like that. I think rapid seven has a competitor to Wiz. There's a couple other.

David Fiore [00:44:25]:
If you were to look, if you were to Google whiz competitors, or you would find them all, you know, but it's. That's going to be interesting. And then the at and T breach, the amount of data that at and T has over the years and things like that, you know, we've seen breaches with Verizon, with, with Yahoo. I mean, probably all the information about us is already out there, most likely somewhere, you know, because, I mean, just Google, Google yourself, and I'm sure you can see past addresses, you can see property sales, you can see all those things about yourself. And then if you want to spend $30, you can see even more about yourself. And so it's, I think, around those things. Everyone should be using multi factor authentication at this point. I mean, yesterday I logged into Yahoo.

David Fiore [00:45:16]:
From my laptop and it told me to use the Yahoo. Mail app on my iPhone as multi factor. That's awesome, because it actually said on my laptop, go to your iPhone, go to your phone, open the Yahoo. Mail app, and approve that. You just logged in from this PC. And so it wasn't even using another authenticator app or anything like that it was using. That was pretty neat. And not to say that Yahoo is great, but we have to get used to using different ways of authenticating to make sure that, you know, we're the people going into our systems and not somebody else impersonating us.

David Fiore [00:45:52]:
And that's the big thing.

Steve Swan [00:45:53]:
Yeah.

David Fiore [00:45:54]:
You know.

Steve Swan [00:45:54]:
Yeah, but that is, I know. Like we talked about earlier, changing habits, training people. Right. That's the biggest deterrent or whatever you.

David Fiore [00:46:02]:
Want to call if it's going to be such a problem for a salesperson to click a button in order to authenticate to the sales system, which has all the information about the company who you're selling to, and you don't want that information to get to your competitor. Well, then you need to educate that salesperson to realize how important it is to do this this way so that things don't get out to our competitors that can then materially impact you as a salesperson and us as a company. Because as we all know from startups, they either go up or down. And if they go down, who are the first people to get let go? The salespeople. So, sure. Of course, you know, saw that firsthand, so, you know.

Steve Swan [00:46:47]:
Yeah, I've seen that. I've seen that big time. So last question here. I like to ask all my guests this, and I didn't tell you about this. And if you, if you went through any of my podcast went all the way to the end, you've already seen this one. So music, I like music. I like live music. I like seeing bands.

Steve Swan [00:47:05]:
Is there any musical act or band that you would say was your favorite that you've ever seen at any point? You could have been eight years old. You could have been ever just one? If it's just, you can name a few.

David Fiore [00:47:21]:
I could name a few. Okay. I remember back in the early nineties when I was just starting out, I had a friend of mine who lived in Brigantine. I lived in Brigantine as well. We both worked into casinos. We were both big. Yes. Fans.

David Fiore [00:47:36]:
And at the time. Yes. The Prague rocket group. Yes. They were starting their union tour where they would have everybody from old. Yes. So Rick Wakeman and everybody else from the older. Yes.

David Fiore [00:47:49]:
And then everybody from the new. Yes. So you know, Trevor Horn and every, you know those guys and they would all be playing. And they did a number of shows at the Garden State arts Center. And those shows were amazing because the Garden State art Center is such a great venue because it's outside, but it's also a little bit covered. It looks like a spaceship. I don't remember if you ever been to the Garden State Art center with the big circular roof.

Steve Swan [00:48:13]:
I've been a bunch. Yeah, I'm going there in a few weeks. Yep.

David Fiore [00:48:16]:
Yeah. And that was awesome. So I really enjoyed going. His name was Barry. Going to Barry to see those guest concerts. That was great. And then my balcony.

Steve Swan [00:48:25]:
Yes. My.

David Fiore [00:48:27]:
That was. Yes. Yeah.

Steve Swan [00:48:29]:
A friend of mine a couple months ago sent me a trivia question, and I'm about to tell you. Well, as you could tell, the answer is yes. The band that played the most shows at MSG through the seventies. Yes.

David Fiore [00:48:46]:
Yes. Wow. I did not.

Steve Swan [00:48:48]:
Yeah. I thought it would be Led Zeppelin or. I don't know. I came up with all sorts of names, but he's like. It was. Yes.

David Fiore [00:48:58]:
That's an interesting. Yes. So I thought, yes. A number of times there. But my first concert experience was when was here in Atlantic City at Baderfield. Bader Field is the old airport outside of Atlantic City. If you look up Baderfield. And the word airport, airport, as a word, started at Baderfield because it's one of the first airports in the US back in the day.

David Fiore [00:49:21]:
And my brother took us. I was. Well, I think I was 15. We went to go see Blue Oyster cult, and the people that were opening for them was a group called Fastway, which I don't know what happened to them. And then a guitarist called Aldonova, and those were the openers. But when they got to blue Oyster cult going on stage, they opened with Godzilla. And they had a giant foam godzilla on stage that breathed fire. And it was an outdoor concept, and it was awesome.

David Fiore [00:49:53]:
And it was sponsored by the local Philadelphia station, WMMR down here. And.

Steve Swan [00:49:59]:
Yeah, 93.3.3.

David Fiore [00:50:02]:
Everybody had green and yellow WMMR stickers, and it was a lot of fun. That must have been like 82 or 83, you know, something like that. That was a lot.

Steve Swan [00:50:13]:
They were pretty prevalent. They were around. I went to live aid in 85 down in Philly, and MMR had a presence there as well.

David Fiore [00:50:21]:
They had a huge presence. I didn't make it. We listened on the radio and watched on tv, but we saw a lot of things back in the day of the spectrum. I remember seeing the police at the spectrum, and that was a really good show. Remember seeing Genesis?

Steve Swan [00:50:37]:
Never saw them.

David Fiore [00:50:38]:
Genesis was really good back in the day. And then at the Atlantic City convention hall, we saw the Ozzy Osbourne diary of a madman tour.

Steve Swan [00:50:49]:
Never saw that. So that would have been. Was Randy Rhodes playing league guitar then? Was he still live?

David Fiore [00:50:56]:
That's when he was good. He was good. That's when Ozzy picked up Randy. Before Randy passed.

Steve Swan [00:51:02]:
Yeah, and yeah, he was really good. That was Randy. Randy did himself in buzzing Ozzy's motorhome while Ozzy was taking a nap in a, in a, in a single engine plane. He crashed it. Right. So, yeah, it is.

David Fiore [00:51:17]:
We had a lot of good concerts. You know, they had. Remember they had Van Halen when, you know, for their big, you know, when David Lee Roth was still with them.

Steve Swan [00:51:26]:
And seen them a few times. Yeah.

David Fiore [00:51:29]:
So I would have to say yes at the Garden State art center.

Steve Swan [00:51:32]:
That's good. That's good. It's a good show. I'll tell you, when I ask this question, I get, I've gotten a few Bruce Springsteens, you know. Um, but I get a lot of different answers, you know. Um, it's amazing, you know, and, and you can't, you can't. I couldn't peg a day, I wouldn't say. I would have probably gone through twelve different bands.

Steve Swan [00:51:50]:
I don't even know if I would have ever gotten to. Yes. You know, another guy I was talking to, another CIO, Rush, his favorite was rush, and he.

David Fiore [00:51:57]:
Rush. I never saw rush. I love Rush.

Steve Swan [00:52:00]:
I never saw rush either.

David Fiore [00:52:01]:
My office in person, because they would never come down to this area that often. You would never see Russian, New York, New Jersey, Philadelphia. It would be very, very rare. And, and when I wanted to see them is when I was little and it was, you know, I want to hear, you know, but I want to hear them do moving pictures. I want them to hear, you know, all the classic rush things that, from the late seventies, early eighties and. Well, you know, now I watch Rush on YouTube, so I watch the concerts from about ten years ago when everyone can still sing and play. And those concerts are quite amazing because they sound just like rush. You know, when, when they, when you.

Steve Swan [00:52:44]:
Look at the, the Prague rock genre, I get. Yes, and I get Genesis. But they throw rush in there, which I always thought was interesting.

David Fiore [00:52:52]:
They throw rush in there because of the writing, because the way Neil. Because of the way Neil Peart wrote songs. I. They were very frog oriented because they were a little, okay, fantasy oriented, a little, you know, very personal sometimes about, you know, life and stuff. So they consider that, I guess, to be prod. But when I think of Prague, I think of Elp, Emerson, Lake and Palmer, who I've seen in the Philadelphia area, which was. I saw them at the man music center outside Philly, which was awesome. Yes.

David Fiore [00:53:23]:
Elpin old Genesis when it was Peter Gabriel.

Steve Swan [00:53:29]:
Oh, Genesis. Peter Gabriel.

David Fiore [00:53:32]:
Genesis with Phil is more pop rock. You know, I don't consider that to be very proggy. And, you know, there's, there's other groups like Wishbone Ash and gentle giant and King Crimson and stuff like that. But no, I think of, I love that we love the police in our house because my wife loves. She bumped into Stuart Copeland years ago.

Steve Swan [00:53:57]:
Oh, yeah. I love the police. I love the police. And I have two older brothers. We had tickets. We were going to go see the ghost in the machine concert. And we were heading out the door. We're heading out the door.

Steve Swan [00:54:13]:
We got tickets. And I'm the last one out. And they turn to me, they go, what are you doing? I'm like, I'm going to the concert. Oh, we sold your ticket. I'm like, what? They sold my ticket to one of their buddies. Like, yeah. So you're not going? And I was in like 9th grade or something. Yeah.

Steve Swan [00:54:29]:
I was like, I think it was 8th grade. Yeah. So I've never, never saw.

David Fiore [00:54:35]:
We saw them do at the spectrum, their synchronicity album, which was their last album as a group.

Steve Swan [00:54:40]:
Yeah.

David Fiore [00:54:41]:
But my wife was a kid, was a teenager in New York, I guess in the late seventies, and her and a friend are in Central park sitting on a bench, and Stuart Copeland goes walking by, and she gets up and says, stop. You're Stuart Copeland. And he turns around and he says, yes, I am. And she just starts lauding over him and thinks, how great, that's funny, while smiling. And then her girlfriend says, do you know where sting is? And at that point, Stuart just put his head down and said, take it easy. I'll, you know, it's over.

Steve Swan [00:55:13]:
Yeah.

David Fiore [00:55:13]:
Over.

Steve Swan [00:55:14]:
Yeah. But, you know, it's fun doing a lot of stuff. You see him? You see him?

David Fiore [00:55:18]:
Yes. Yeah, a lot. Seems like a lot of those folks, as they get older, they go into, you know, music production for movies and tv shows and other things they do.

Steve Swan [00:55:30]:
Cindy Laupers doing it. Yeah. Sewer. Copeland's doing it. Gosh, the other guy, I just saw his name on the tv last night. I forget. And he does everything that that particular guy that I'm thinking of now, but I can't remember his name anyway, so. Well, listen, great chat with you.

Steve Swan [00:55:51]:
Thank you very much for your time. Yeah. And I'm sure, I hope that everybody enjoys this. And if anybody has any questions about cyber or security, they'll reach out directly.

David Fiore [00:56:05]:
Reach out direct on LinkedIn. That's where I have a fairly broad connection of folks and friends.

Steve Swan [00:56:13]:
Cool. Thank you.

David Fiore [00:56:15]:
All right. Thank you, Steve. It was pleasure.