Q&A with Rebecca Kennis, CISO, Arnot Health: My One Number Job is Creating a Culture of Security

Email is the lifeblood of any organization, with thousands coming in every day. It’s also the number one attack vector. Unfortunately, even the best filtering tools miss between 7 and 10 percent of the spam that CISOs would love to see caught. That puts the onus on employees to manually filter the rest. It’s for this reason, and others, that Rebecca Kennis, CISO at Arnot Health, is laser focused on created a culture of cyber where security is everyone’s job, and nobody thinks of it as unnecessary interference in their work. In this interview with healthsystemCIO Founder & Editor-in-Chief Anthony Guerra, Kennis discusses these issues and many others.



LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE. 



Bold Statements

The first thing that I do when I’m talking with a new set of employees, when we’re introducing this to any group at all, is really to make sure that they’re understanding the why. Because if they don’t understand the why, they’re never going to hear the what.

These things need to be presented to them not just once a year when it’s time to do the annual required trainings, that needs to be throughout the year. You can’t just have the once and done with security and expect anybody to retain and have that build any culture of security in the organization.

I always make sure I tell new employees that come in, if you click on something, if something happens, and you’re like, ‘Oh geez, I shouldn’t have done that,’ let us know right away. You will not get in trouble for doing that if you let us know right away. If you try to pretend like it didn’t happen, we can’t promise you will not get in trouble for that. 

Anthony: Welcome to healthsystemCIO’s interview with Rebecca Kennis, CISO with Arnot Health. I’m Anthony Guerra, founder, and editor-in-chief. Rebecca, thanks for joining me.

Rebecca: Thanks for having me.

Anthony: Very good. Let’s start off – tell me a little bit about your organization and your role.

Rebecca: Arnot Health is a small to medium-size healthcare organization located near the southern tier of New York and very northern tier of Pennsylvania. We have three small hospitals. We have a skilled nursing facility. We have some graduate medical education and around 50 or so primary and specialty care practices throughout the region.

Anthony: I’m not too familiar with that specific area. Would you describe it as rural or not quite?

Rebecca: Parts of it are very rural, yes. I guess you could definitely classify it as rural.

Anthony: Very good. There will be some issues we’ll touch on that are specific to smaller rural facilities having significant challenges around cyber that we’ve heard about recently. We’ll talk a little bit about that.

But I want to start with an open-ended question and just ask you what’s on your mind, what are either the main things you’re working on, looking at, thinking about, that type of a thing, well go from there.

Rebecca: The biggest thing that I have on my mind right now is building up our culture of security at Arnot. Any healthcare organization has all of the patient care issues they’ve got going on, they’re trying to maintain the proper nursing ratios. They’ve got all kinds of issues with all of that. The last thing that they necessarily have on their minds is how are they going to protect the data that they have.

It’s my job and my team’s job to make sure that’s at the forefront of their minds. The way that we’re looking to do that is to really...