Q&A with Sahan Fernando, CISO, Rady Children’s Hospital: “This role is a strategic business leadership position”

In this day of the Great Resignation, where all organizations, not just in healthcare, are struggling to maintain a workforce, Rady Children’s Hospital and its CISO, Sahan Fernando, are not in a bad position. The hospital has always endorsed remote work, according to Fernando. Rady puts a lot into the people behind its mission, and that means being flexible. When it comes to “good talent” and “really good people who you want to stay, you find a way to make it work as much as possithe ble,” Fernando says. He also offers insight into some of the lessons he’s learned as a CISO through the years.

LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE. 



Bold Statements

VPN is not a right. It’s a privilege.

I still have to understand technical things, but more of my job is working on business problems and helping to make secure business processes.

I try and teach this lesson proactively: think, to the greatest extent possible, what is the impact of what you’re about to do?

Guerra: Sahan, thanks for joining me today.

Fernando: Thank you so much for having me on.

Guerra: All right, if you want to start out, tell me a little bit about your organization and your role there.

Fernando: Absolutely. So Rady Children’s Hospital is a healthcare system based out of San Diego, California. We have a couple different areas from which we serve our pediatric population. So that includes from pre-birth support all the way up to birth and through later stages of life. I believe the oldest population we serve goes up to about 21 years old. So, we really work through all stages of development with our youth – serving not just San Diego County, but Imperial County and Riverside County, as well as working with other hospitals on strategic partnerships, both nationally and internationally. My role as the chief information security officer is to oversee the information security program across all of our organization’s units, so that role oversees a team that serves not just the acute care hospital, but our Genomics Institute, our primary care, and various other interests.

Guerra: Very good. Okay. So, I like to find out how people wind up in this interesting spot—pretty “nichey” I like to say. It’s not just healthcare; it’s not just security–it’s healthcare IT security. So how did you wind up here?

Fernando: Boy, well, the shorter version is with a lot of luck. I’m definitely very, very fortunate. So, I attended Gonzaga University up in Spokane, Washington. And I had studied computer science, a little math, but really, my major was in business management information systems. I grew up with very classic, casual computer use. And as the Internet became a little bit more ubiquitous, I was finding lots of ways to explore gaming and knowledge and media, all sorts of fun stuff. I knew I liked technology. Initially, I was really looking at casting a pretty wide net as I was getting ready to finish school. I definitely waited a little long on the job search front. I didn’t really have much skill in terms of coding. It really was never my strength.

And so, as I was searching around, I really was looking more at what was tech-related and was it in a place I felt like living and I was very fortunate that I applied for an information security analyst job for a managed security service provider in town, and somehow got an interview. My former boss, who’s still a very close friend of mine, said that the cover letter apparently went a l...