Although Patty Ryan did not begin her career in security, in 2004 she was working at a financial services firm in the project management office and the CIO offered her the CISO role. With limited knowledge about security, she was required to leverage her problem-solving skills and strong business intelligence to lead a team of twenty security professionals. Since then, Ryan has held a number of different roles in security, working in finance, legal, and healthcare organizations.
Currently the CISO at Ortho Clinical Diagnostics (Ortho), an in vitro diagnostics organization serving more than 800,000 patients globally, Ryan oversees information and cyber security across the entire enterprise. She comments, “One of the things that hooked me in joining Ortho was the people. The process of talking to people through my initial job interview, I saw an amazing amount of transparency. I knew exactly what I was getting into, their personalities, the focus, the priorities, everything came out as part of that process, which allowed me to make a really informed decision in a very short period of time that doesn’t normally happen as part of interviews. And they conveyed to me throughout this process a strong sense of partnership and a healthy appreciation for information security. So that sold me.”
While interviewing for the role, Ryan was drawn to the opportunity to build and lead a security program as well as work in the unique field of medical devices. The challenge excited her, and she knew she would be able to not only mature the organization but grow her skillset while being supported by a strong company culture.
AN ORGANIZATION’S COMMITMENT TO SECURITY The medical device industry poses unique challenges and Ryan works diligently to ensure her team continually enables the organization’s commitment to delivering innovative, high quality diagnostics to healthcare entities around the world. Ortho’s website highlights their commitment to cybersecurity by stating ‘Ortho Clinical Diagnostics (Ortho) is committed to providing products designed with cybersecurity in mind and protecting all information that is entrusted to us by our customers.’
A key area of their commitment to cybersecurity is security by design. “My job is to make sure that our products are secure while operationally simple so upkeep is not a burden to our customers. We don’t contribute to their risk footprint,” says Ryan. By incorporating security into product design from the start, and throughout lifecycle management, threats are appropriately monitored and mitigated while meeting regulatory requirements.
TOP PRIORITIES With an uptick in ransomware hitting healthcare organizations in 2020 and moving into 2021, Ryan says Ortho’s security team works hard to limit the risks presented by cyber criminals. She explains, “We make blood analyzers and clinical chemistry analyzers, and you think about the people who use our products. These are people who the toll of COVID has been amazingly high. Our products should not add to their stress level.”
Digital transformation is another area of focus for Ryan and her team as Ortho transforms its products and services. From a customer perspective, Ryan ensures the security needs are part of the conversation in every step of the way.
Ryan also considers looking back at core business functions to ensure security is fully functioning as an area to concentrate on this year. She comments, “You need to go back and look at your core business functions. You must a look at how to innovate and protect. For us, we continually review the level of risk present in different areas of our organization and make sure that level is acceptable. How do we mitigate, how do we understand what we know and what we don’t know in these environments? And how do we encourage transparency?”
CHALLENGES OF A COMPLEX INDUSTRY Working in a complex industry such as medical devices poses significant challenges, and Ryan says focusing on security at a foundational level and not getting distracted by the latest trends helps her stay laser-focused on achieving her goals and protecting the organization.
Ryan explains, “From our product standpoint, lifecycle is a big challenge. From an idea to it being approved by a regulatory board such as the FDA, it could be three to five years. That is because of the amount of time it takes to build and completely test this complex infrastructure. Think about that from a security perspective, things move in days, weeks, and one design may be acceptable now, but is it going to be acceptable when we start verification and validation three or four years from now? So you must really look at security at a foundational level. Really stick with what you think are the tried-and-true best practices and means in which you can secure an infrastructure and really understand the evolution of the regulatory landscape and try to keep the bar at a consistent level.”
INSIDER THREAT RESILIENCY Ryan says strong, resilient insider threat programs must be built on transparency with holistic visibility into behaviors and movement. While it is not the idea of ‘big brother’, it is vital to look across the environment whether it is Office 365, collaborating tools, or video conferencing and understand what employees are doing and where they have access. Ryan explains, “I think the biggest issue with insider threat is the transparency or lack of transparency. Once you have the transparency, in my opinion, you can start building the rules and a logic that allows you to understand abnormal from normal. It is not easy and is a multi-layered approach.”
With increased numbers of remote workers, Ryan says insider threat has become an even larger security issue across the world. She encourages others to truly understand the flow, then compartmentalize how to handle the lockdown of each different area in an organization. She says, “The fundamentals have to be governed and when you start looking at locking down, it’s least privileged, need to know, and your businesses need to be part of the conversations.”
Insider threat as a service is a concept Ryan has heard about, where there may be an ability to buy an employee, so to speak. Bad actors could attempt to become trusted employees, especially with many recruitment interviews done over only a few video conferences. From the strategic side, Ryan believes insider threat programs must continually align with business assumptions. She explains, “The business assumptions include who’s going to be using what data and how they want their data manipulated, how they want the data shown, where they want the data stored, where they need to have the data flow. How you then secure it, I consider far more of the people, process, technology, tactical side. Unless you have a really continued strong understanding of the business vision and tie an insider threat program to be able to reflect what the business needs, you’re going to have a problem of a lot of false positives or hiccups in the program.”