 Welcome back everyone to theCUBE's live coverage of MY's here at the Marriott Marquis in Washington, DC. I'm your host, Rebecca Knight, along with my co-host and analyst, Rob Streche. We are joined by Taylor Lehman. He is the Director Office of the Chief Information Security Officer at Google Cloud, and Monica Shokrai, the Head of Business Risk and Insurance at Google Cloud. Welcome, Taylor and Monica. Thanks for having us. Thanks for having us. So Taylor, I'm going to start with you. You were a former CISO at Athena Health and Tufts Medical Center, and your role now at Google Cloud is helping healthcare organizations and life science companies through the same challenges that you faced in working in the industry yourself. So tell our viewers a little bit more about what are the kinds of cyber threats that are facing healthcare organizations right now? It's constantly evolving. It's probably best handled by thinking about healthcare as a number of sub-sectors, like you kind of mentioned in your intro. So you've got hospital systems who are being attacked, largely because digital extortion, ransomware events create tremendous leverage. They threaten people's safety, and attackers know that and use it to their advantage to compel payment. And there's also a ton of legacy infrastructure in these places that make them sort of target rich in a sense. You've got health insurance companies. They operate mainly like banks, they process claims, they move a lot of money. Very highly targeted for not just the medical information, but also the financial data that they typically have that they keep alongside that. You've got like med tech companies, farm tech companies. These are like a sort of a facet of life sciences where they're developing drugs and devices to keep people healthy. Intellectual property is super valuable, not just for competitors to acquire, but nation states want it to basically treat and keep their own societies healthy. And you've got pharmaceutical companies and others who are just using science to build new treatments for people. So there's a variety of organizations that make up the healthcare industry and the threats and the opportunities are different for each depending on how you look at it. And how susceptible do you think the industry is as a whole from a healthcare perspective? Is there a reason why? Is it just the legacy of the applications and that layer that's really been pulling them back and why they need to really focus on this? I think, you know, when folks realize that you could extort business and get paid for it. And focusing specifically on hospitals for a moment. You know, people did a bit of a value equation and said how bad can I make it for an entity and how low is the bar to achieve that outcome? And I think people pretty much figured out hospital systems, things go bad, people get hurt and tons of legacy technology everywhere that's hard to manage by organizations that aren't really being reimbursed at a rate and pace that allows them to refresh their infrastructure. So you have a couple of really unique, interesting factors that go into why healthcare is an interesting target and why it's so vulnerable. I think if you step back and kind of take a macro view, these are also systems that are really important to the safety of entire society. So if you start messing with them, you not only compel the individual organizations to participate, but you also affect the broader society around you and that's also unacceptable. So there's some interesting sort of intersections between societal risk, risk to these organizations going down what it could mean on an individual basis but then also when you really think about how a number of those threats play out, you kind of cause in a sense of catastrophic outcomes for entire communities, cities and towns and Tusk Medical Center right where I worked, not only a large, noteworthy academic health system, it was also a community hospital system that served people not just like coming in from out of town to get treated, but it served a very large portion of the Boston area. If that went down, which in recent years when we had things like the marathon bombing and things like that that just showed us how much we rely on these organizations, it really paints a scary picture when you think about the ramifications of a cyber attack just knowing what happens when these organizations get stressed in the first place. Because they are so vulnerable and they come at a time when people are very vulnerable in their lives. So Monica, how can cyber insurance protect healthcare providers from these financial losses? Absolutely, so cyber insurance is part of a holistic risk management program. Not only from a security perspective or you're trying to reduce the risk from a frequency perspective, but if something happens, cyber insurance can help you reduce that severity. Particularly because cyber insurance programs come with an incident response panel, a panel of providers that will help you respond quickly, they'll help you negotiate claims, et cetera. And so from that perspective, we see it as a holistic risk management strategy. But what I think is more interesting about cyber insurance is that insurance is one of the only industries that can start to better prioritize using risk and losses, what controls and what metrics make more of an impact to customers. And so over time, if we can get the insurance industry to a place where they're bringing in the right metrics, they can help customers improve their security and improve that feedback loop and that's something that we're very interested in. So it makes sense that there'd be a lot of education that has to go on for the insurance, having been in an insurance industry, Manulife Financial and John Hancock, where I ran part of the IT there. It's one of these where they themselves are trying to get a handle on this. And do you see that as part of what you're bringing to them is a lot of education as part of the program? Yes, absolutely. So we have a program called the risk protection program, which I think you're touching upon. And within that program, what we're doing is we're helping our customers get access to cyber insurance. The way that we're doing that is that if you look at the cyber insurance industry today, there's 40 page PDFs with a lot of manual questions that CSOs are being asked to respond to. And a lot of times the questions aren't simply a yes or no question. That's easy for the CSO to answer. So what we thought is a couple of years ago, we pulled back and said cloud providers have a very unique role to play in this space where we can provide scans that have inside out metrics indicative of risk that customers can send directly to insurers so that they can better utilize metrics to understand risk. When you pull back from that, we're also a leader in the security space, Google as a whole, in addition to Google Cloud, right? And how can we take that IP and our understanding of security and help the insurance industry better understand their risk? And so as part of this program, there is education and thought leadership working with insurers. Right now it's Munich Green Alliance that we're working with so that they can better understand the metrics that we're providing. So you're having these dialogues with these CSOs and Taylor as a former CSO yourself, what are you hearing from these people? What is keeping them up at night? What are their biggest concerns right now? I want to take that one to both of you. And I think it's really obviously confidentiality of sensitive data, critical, paired with availability of systems, increasingly critical when you combine the two where you've got folks ransoming data, X-filling data, it keeps, and then exposing sensitive information publicly. It creates a really interesting set of problems and challenges that CSOs have to really think about. It's not just like keep it locked down but I got to keep it online. I also have to minimize it so I don't find myself in a place where I don't want to be. In healthcare, we touched a little bit about this but availability of systems is probably the most important outcome that a CSO can achieve and any threats to a system going down need to be at the top of the list. In the last year we've started to see more and more targeting of healthcare organizations not just with ransomware events but insider threat is something that we're starting to see clearly quite a bit. We're starting to see symbolic DDoS attacks like Kilnette earlier this year where hospital systems were being just attacked from other places in the world just because people knew the availability was such a critical thing and really wasn't clear what the outcomes they were hoping for but you're starting to see more and more of that. I mean we hadn't seen really relevant DDoS activity since, I want to say almost a decade ago and I can think of an example at Boston Children's Hospital where we had a significant event but really hasn't been a thing we've had to deal with. Now it's becoming increasingly more common and it's being combined with other types of attacks. So I'd say obviously ransomware continues to be an issue making sure you've got strong hygiene internally are always a priority there. Ensuring insider risk is understood and covered protecting yourself against DDoS attacks which I think are going to continue and then of course we've got advanced actors now doing really interesting things that we're seeing and I'm sure we'll be briefed about later today around like acquiring intellectual property capturing data on interesting people that they're targeting, scientists, researchers, et cetera. And so it's almost like kind of who knows what's next? It's a data rich environment and healthcare data has a lot of value but I'd say yeah, I mean it's, those are the priorities, those are the threats that we're seeing from the board. Yeah, I, oh sorry, go ahead. I was just going to add from a risk management perspective speaking to CISOs, one of their biggest concerns is how do I, is all the toil that they're faced with from a day-to-day perspective and how do I figure out what to prioritize, what to do first if I have a limited amount of time? Where do I focus? And that's an area where we're trying to help them from an insurance perspective as well. Yeah, I mean that makes total sense because both industries are really data heavy industries plus there's proprietary information in both, there's very confidential information in both, I mean from actuarial tables, that's the IP of an insurance company all the way through, you know, patient records, X-rays and all of that stuff. How do you see this really pushing those industries? I mean it makes sense, the insurance side of de-risking themselves. Are you seeing a good uptick in people saying yeah, these insurance regulations or not regulations but requirements are changing the behavior of the companies? I think they are and it's probably more recent within the evolution of cyber insurance. So once, a couple years ago when ransomware really uptick that caused the industry to basically skyrocket their premiums doubling and tripping premiums year over year and that got to a place where cyber insurance became a little bit more relevant in the day to day of a CISO and an organization because it suddenly was costing a lot more. As part of that process, the different requirements that they were asking customers to implement became top priorities because a customer wanted to make sure that they were insured. So I do think that the industry is starting to influence what people prioritize from a cyber security perspective. I would add, I think, and this is kind of happening at the same time as cloud adoption is becoming more where CISOs and security leaders, you mentioned total reduction is a key priority to address threats but we're seeing this sort of shift to leveraging service providers and insurance organizations, basically people who do business with adopt this sort of shared fate concept where it's more than just, hey, we're going to acquire technology tools, people to help solve problems. It's more like we're going to look to our providers to partner with us to more effectively manage sort of the entire spectrum of risk, including insurance. So like an example would be coming onto Google Cloud, the platform itself has a variety of platform controls built in, they're ambient, you can't avoid them. They're there, they're on by default. That brings you up to a certain bar and then when you actually start to measure your risk and incorporate financial tools like insurance, you can actually do real risk transference, which wasn't really available before. Like people would buy an insurance policy and be like, oh please, I hope I don't ever have to use this thing, right? And of course we were catching up earlier before, it certainly doesn't cover the long tail effects of certain outcomes like people getting hurt, safety issues, cyber insurance and patient safety don't necessarily go together exactly but for me, what the opportunity is now that we're having people moving on cloud and becoming more data driven with their security programs, they're able to effectively transfer risk and with organizations like Google and the risk protection program, you can actually transfer it in a way where it's a responsible transfer but you know that those risks in a sense are covered through effective use of a platform. So you're starting to see the shift in the connection between, hey how do I leverage my providers, what I have a little bit more and then start to do more interesting things that you can only really do if you have a modern technology platform, to be honest with you. So. I like the way you talked about the shared fate aspect in the sense of, because as Taylor was saying, these are organizations that are also community goods, I mean Tufts Medical Center is providing valuable services to so many different kinds of populations within a community. How are they viewing the reputational risk of these kinds of ransomware attacks and security breaches? I think it depends on why it happens, right? Sometimes it's just bad luck, sometimes it's negligence. I think it really matters more, not just necessarily the outcome or the impact but it's how you handle it post in terms of being transparent and communicating effectively and helping take the necessary steps to recover, rebuild trust with customers, make sure the investments are in the right places. The reputational risk is real. It shouldn't be the reason why organizations are compelled to be good at cyber, right? Should be more on what is the customer outcome we want and why does that matter? More than it does what is my personal reputation but I do think it compels to a certain organization to do the right thing but really reputational risk is managed post event. In my experience, I see it better managed by being as ready as you possibly can be than having a clear strategy to engage your stakeholders coming out of it. I don't know, anything you would add? It's not something you can insure. Yeah, it's not insurable, unfortunately. We get asked about it a lot in terms of quantifying risk. How do you quantify reputational risk and impact but it's not something that's covered under the policy. On the shared fate point, I was going to talk a little bit more about one of the things that we're seeing within the industry, Appbay is an insurance company. They came out with a report that essentially said for their customer base, if you use workspace, the chance of a claim, of a loss, is down 40% compared to other email providers. So when you think about the power that the insurance industry can bring to helping customers make decisions on what risk-adjusted decisions on what technology they're going to provide helps overall where a customer might not know the difference between different technology providers. So that's something that we're interested in working with them on. And I think that level of precision and risk measurement and then how you treat it is going to get better and better and better as people adopt more modern stacks, looking at data that comes off the system to inform them of risk, pairing it with intelligence, coming out of places like Mandion to sort of create a better understanding of the risk, the effective control, and then if transference is a great option, making that almost click, click, click and you're done, right? I see that definitely as a trend that's going to continue to occur. Yeah, I agree. Well, looking into your crystal balls, what do you see? I mean, you mentioned that as a trend. Is there any other themes that you're seeing emerging, particularly as we are here at MYS? From an insurance perspective, I think the theme is better inside out metrics over time. I think more and more insurers are going to start adopting that. What you're seeing, they're already adopting, it's a lot of outside in scans and the two industries merging, but that trend will continue. There's a term insurer sec that's emerging of the combination of the two industries and I think it only accelerates. Yeah, I would just say I'm hopeful for the future. I think things are generally going to, they're going to be difficult but we're going to continue to see improvement as more and more organizations sort of understand the threats they face and then put controls in place and programs like insurance in place. I think on the insurance side, the thing that I'm most looking forward to is seeing the adoption of more quantitative mechanisms to measure risk in real time, not just like, oh, I'm going to model a scenario, it's going to take me 30 days to pull the data together, run a Monte Carlo analysis and basically like for this one really precisely defined risk, my exposure is X. I think we're going to see that feedback loop get shorter and shorter and shorter and in more and more real time so that we can make risk-based decisions and like I said, even on a precise scale, be able to have more options in how we treat those risks. That don't involve, hey, I got to go rack $20 million of new equipment, new firewalls, whatever, to get it in, like especially with code now being the way cloud is provisioned, they've seen the combination of more precise risk measurement and the ability to move quickly with less toil. I think it just means the, I'm personally excited, more healthcare companies get on cloud, start using intelligence-driven approaches, start measuring risk faster, means we're going to have safer and safer health systems. Well, that's an optimistic note to end on. Thank you so much, Taylor and Monica, for joining us. Thank you so much. I'm Rebecca Knight, stay tuned for more of theCUBE's live coverage here on theCUBE for Rob Strecce. Great.