Q&A with Children’s Mercy Kansas City CISO TJ Mann: “CISOs would be blind without threat intelligence.”

“CISOs would be blind without threat intelligence,” says TJ Mann, CISO for Children’s Mercy in Kansas City. That’s why Mann uses multiple sources to gather intel on a daily basis, not only to be proactive, but to determine a hacker’s next steps if they do happen to get a breach. Why? Because intel wins wars, Mann says. “You can’t win a war if you don’t know what your adversary is doing. Or you don’t know what’s coming at you.” In this interview, Anthony Guerra, healthsystemCIO editor-in-chief and founder, talks with Mann about his career and what led him to healthcare IT security, and particularly how he keeps Children’s Mercy safe. In the four years he’s been at Children’s Mercy, Mann has built up a team from a handful of FTEs to a dedicated staff of 38. Trust is paramount, he says. The rest of the c suite will only listen if you first build credibility.



LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE. 



Bold Statements

Everything we’re doing ties back to the organizational goals. And that’s the key in terms of establishing a successful security program.

Your job is to identify risk and assess that risk and share the implications with the business and executives. But they’ll only trust you if you build that trust and credibility.

What I’m not seeing is a lot of effort from people who desire to be in the cybersecurity field to build that baseline – to be in that interview and say, “Even though I haven’t had a job, I’ve done these things to really demonstrate that this is a field that interests me.”

Guerra: TJ, thanks for joining me.

Mann: Thanks for having me.

Guerra: Let’s start off with you telling me a little bit about your organization and your role.

Mann: Sure. I am the chief information security officer for Children’s Mercy Kansas City. We have two hospitals in the area. We have 23 clinical sites, and we just recently opened a children’s research institute, which is focused on identifying and detecting genetic defects and building treatment plans and research around that for kids, specifically. We have a value-based program, as well. We operate in Kansas and some remote locations in Kansas and Missouri. I will be at Children’s Mercy for four years next month. I have the complete responsibility for a strategically aligned cybersecurity program and maintaining the effectiveness of that program.

Guerra: Congratulations on your four-year anniversary, coming up on that. That’s pretty good tenure these days for any c suite. Tell me how you ended up here in a career sense. How did you wind up in IT? How did you wind up in security and in healthcare security? I think people find it interesting how CISOs wind up where they are.

Mann: It’s an interesting journey. My academic background is in IT. My bachelor’s is in IT and my master’s is in computer science. I graduated with my master’s in 2010. Back then, not a lot of universities were offering cybersecurity degrees; there were no programs. The only path to get into security was you’re coming from the network side of the house or you’re coming directly from the IT side of the house, and you had to kind of find and carve your way into security. Nowadays, it’s good to see that a lot of universities are offering security degrees to build their pipeline. To go back, I knew that I wanted to be in security as early as seventh grade. Back then we were first introduced to binary arithmetic—ones and zeros, adding and subtracting and everything. And I thought, “This is pretty cool.