John Kenagy, PhD, SVP/CIO & CISO, Legacy Health, Chapter 3

With 20 years under his belt, John Jay Kenagy is no rookie to the CIO position — and yet, he’s continuously learning and evolving. In his current post at Legacy Health, he spends more time than ever before focusing on the best way to bring independent physicians into the fold, working to ease their skepticism while at the same time not “overselling.” In this interview, Kenagy talks about his team’s efforts to facilitate data flow throughout an ever-changing organization, the security “arms race” the entire industry is grappling with, and the “people first” philosophy he’s employing while leading through an acquisition. He also discusses what it has been like to work for four such different organizations, the need for “confident, yet humble” leadership, and what he believes is next for the CIO role.

Chapter 1

Chapter 2

Chapter 3



* Elevating security to the C-suite level

* Bringing stability to Legacy

* Engaged employees = satisfied operational partners

* Confident, yet humble leadership

* 20 years as CIO — “You need to be fearless.”

* Planning to “sell the secret sauce”

* A CEO who “really gets it”



LISTEN NOW USING THE PLAYER BELOW OR CLICK HERE TO SUBSCRIBE TO OUR iTUNES PODCAST FEED

Bold Statements

It really professionalized the department a little bit more, grew it a little bit, and certainly invested in it, both in terms of more, and more importantly, education.

It is a team activity, and I gather as much information as I can, but ultimately, I do make the decision. That sense of leadership and leading people and speaking to their hearts and their heads and their hands is just part of my leadership style.

I’d love to advise companies about how to effectively interact with CIOs and to please stop disenfranchising the IS department when you come and sell to our operational partners. It just puts all of us in an awkward position. So I’d love to sell some secret sauce to how to work with or collaborate with IS and not triangulate us out of the picture.

At Legacy, I am a management attendee of our board. I am on the executive council. I’m a direct report to the CEO — that has changed IS. In every other organization, the role has been further down in the organization.

Gamble:  How does it come about as far as having the CISO role? Is that how it was from the start of your time at Legacy?

Kenagy:  It is. We had a manager of information security who worked a couple of layers below me, and he and the department were very much generalists. It was a small department and they did identity services, so they created accounts, they did education, and they did auditing, working with our management audit function. They did policy writing, they did some engineering work.

Legacy, as a health system, I don’t think had invested in the number of people or the tools or basically invested in information security that was needed as the threats just continued to increase.

But I would say Legacy was definitely in the pack with other health systems in needing to get increasingly sophisticated. And so, over a fairly short period of time, we revamped the entire program where I elevated information security to a C-level, so it came to me to be directly involved when I got here, rather than having to delegate it too far down the organization for visibility and importance in funding. And then we also transitioned that unit into three different units: one that aligned with our helpdesk/service desk to do identity services, one that aligned with our engineering department to do the security technology,