Q&A with CISO Ron Mehring, Part 2: “You Can’t Do It Without Good Data.”

“Everything I needed to know about information security, I learned in aviation.”

Not exactly what one might expect to hear from the CISO of a large organization, but for Ron Mehring, the time he spent in the Marines has played a huge role in shaping him as a leader. And although he learned from all of the different roles he held, it was his time in aviation that truly laid the foundation for IT security. “You had to do it right all the time; there are no shortcuts, otherwise someone could get hurt or killed,” he said during a recent interview.

And although the healthcare landscape is extremely different from serving in the military, he has been able to apply many of the lessons learned, particularly as his team at Texas Health Resources has strategized to safeguard data – and patients – during the Covid-19 pandemic. Mehring also talks about how they’re leveraging analytics to improve decision-making, the challenges leaders face in transitioning to an adaptive risk program, and the evolution cybersecurity has experienced in recent years.

LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE. 



Key Takeaways



* The goal of an adaptive risk program is to “more cleanly orchestrate processes, and to make things much more tightly integrated from a security stack perspective in how we manage end-to-end risk across all these disparate environments.”

* As identity and endpoint asset management become an increasingly critical part of the security strategy, having solid analytics is paramount. “You can’t do it without good data.”

* The right vendor doesn’t tell you what they’ll be doing in the next few years; they tell you what they’re doing now to get there.

* For CISOs, it’s no longer just about blocking and tackling; it’s about speed, agility, and the ability to adapt the enterprise to new emerging threats.

* One of the most important life lessons for Mehring came during his time in aviation, where he worked in quality assurance. “There were no shortcuts.”





Q&A with Ron Mehring, Part 2 [Click here to view Part 1]

Looking at security through the lens of adaptive risk

Mehring:  We put together an adaptive risk program with the intent to transform all levels from the program, from the risk and governance level down through the technology stack. And it’s to account for all of that change. Zero Trust, something we hear a lot about, is very technical. It’s a very specific set of technical actions that are taken.

Zero trust is actually part of that adaptive risk program. What we’re doing with the adaptive risk program is looking at it through the lens of everything. In other words, you can’t change our technology to do something different without addressing how you’re going to view that through the lens of risk. Because the lens of risk should be governing what you change. You shouldn’t be creating cost in the enterprise just because you think we need to uplift our security technology stack; we should be doing that through the lens of risk. Our processes will change all of that.

The end goal of the adaptive risk program is to automate and more cleanly orchestrate processes, and to make things much more tightly integrated from a security stack perspective in how we manage end-to-end risk across all these disparate environments, all the way from consumer side. The program governs everything from the consumer side all the way through the workforce.