The Resilient CISO: Balancing Mental Health, Team Dynamics, and Incident Response

In the cybersecurity field, professionals like Martin Fisher, CISO at Northside Hospital, bring unique experiences and perspectives to their roles. In episode 88 of The New CISO, Fisher shares his insights on team building, managing mental health, and prioritizing time. With a wealth of experience, Fisher offers valuable advice on defining company culture and empowering your team. In this blog post, we’ll explore the key takeaways from the episode.

In this article:

• Growing up as an OG nerd
• Prioritizing mental health
• Building a unified security team at Northside Hospital
• Hiring for the right fit
• Flipping the CIA triad
• Navigating security incidents
• Maintaining composure during incident response
• Conclusion

Growing up as an OG nerd

Martin grew up alongside the birth of Dungeons and Dragons, and “just glommed onto it.” A self-described “OG nerd,” he developed a deep love for tabletop roleplaying games. After a decades-long hiatus, he recently rediscovered his passion for the cooperative fantasy game and formed “a great circle of friends” who joined him in virtual gaming sessions during the isolating days of COVID lockdowns.

In addition to gaming, Martin is an avid woodworker who finds joy in “being able to dissociate and focus on building a thing.” This hobby offers him a sense of satisfaction that can sometimes be elusive in his security job, where projects can often feel incomplete or where the tangible benefits may not be immediately apparent. Martin finds it therapeutic to create “something pretty that my wife or my kids or my friends will enjoy using.”

Prioritizing mental health

Martin has been with Northside Hospital for nine years, serving as a hospital CISO throughout the COVID pandemic. Through this experience he has learned that “mental healthcare is healthcare,” and emphasizes that “therapy is a hugely important thing.” He advocates for mental healthcare and breaking the stigma surrounding the use of mental health services. “A lot of people don’t ever want to say that. But I’ve got to be able to support what I do for a living. I believe in the mission of Northside. We’re a not-for-profit, community-based hospital system,” he explains.

As host Steve Moore points out, the CISO profession experiences “high rates of mental health issues, substance abuse, divorce, heart attacks, strokes, and other stress-related health problems.” Martin agrees coping with the stresses of the job can be difficult, but he has learned through therapy the importance of setting boundaries. “I think a lot of the folks that we see in the community who get crushed by what’s going on either can’t, don’t, or won’t set a boundary that says, my profession, my career goes this far, and no further from this point afterwards,” Martin says. Decompression is essential, especially as security professionals advance in their careers and face increasingly stressful positions.

Building a unified security team at Northside Hospital

When Northside Hospital realized the need to prioritize cybersecurity, Martin interviewed for the security role and immediately felt a connection to the organization. Starting as a team of one, he quickly began building a team. Now, as a CISO, he works “in a company that has budget and executive support in a corporate culture that uptakes security really, really well.” As his team has grown — currently numbering 26 with plans to expand — they’ve been able to add capabilities and mature the security program. “In terms of patient safety and quality of care, the organization understands the investment,” says Martin. “When you do what I do for a living and a CFO in a meeting with their peer group calls your program an investment and not a cost center, that’s winning,” he continues.

Martin sees the connection between security and protecting patients. He and his team are careful stewards of their budget, recognizing that “every dollar we spend on security is a dollar we’re not spending on healthcare.” 

Hiring for the right fit

Martin is proud of the team he’s built and explains that his organization’s criteria for hiring are“pretty unusual”. He understands that candidates who lack the exact skillset or experience can be trained and given opportunities to learn and grow. “But if their mama didn’t raise them right, we don’t have the time, inclination, or energy to help them.” He emphasizes the importance of fit, saying that if a candidate’s personality is completely opposite of the organization’s culture, “No matter how good you are, no matter how much they pay you, you’re going to be unhappy. And unhappy people make more unhappy people.”

Martin recalls once receiving terrible career advice to work at a hedge fund, “I was not a good fit and I tried to force myself to fit and it ended gloriously badly,” he said.  He stresses the importance of “being your authentic self” at work and finding the right fit.

Flipping the CIA triad

The primary aim of a hospital is to provide medical care so that patients can get better and go home. Martin sees the worst thing that could happen in his program as hurting someone while they are in his hospital. In the inpatient setting at Northside, there are 67,000 endpoints, two-thirds of which are medical devices. Martin explains that in the special care nursery, there are 23 devices surrounding each baby in their bassinet. Security cannot interfere with the use of those medical devices; rather, they must do everything possible to protect them. Martin says, “The devices have to be available, the telemetry systems have to be available. So we fight for availability” — the A in the CIA triad (confidentiality, integrity, and availability).

Confidentiality takes lower priority. As Martin says, “It’s a bad day when your medical information gets breached, but that’s not going to physically harm you. You’re going to get some free credit monitoring and assurances that we take the privacy of your information very seriously.” For CISOs in most other industries, their primary concerns would be protecting things like customer credit card information or protected health information (PHI). It’s a little different for Martin and his team at Northside, who must prioritize securing things like radiation oncology devices.

Navigating security incidents

Martin notes that 99% of security incidents stem from ransomware events, which primarily affect system availability. If ransomware infiltrates the hospital’s environment, it could potentially disable critical systems, such as biomed control systems. “From a security incident perspective that I worry about the most, it’s ransomware and we’ve invested a lot of time and energy in making ourselves more resilient and getting more proactive about it,” says Martin. While other types of incidents do occur, the organization gives his team “a little bit of grace.”

At Northside, Martin and his team have developed a program that promotes candidness and pragmatism with their steering committee. They maintain transparency and acknowledge that incidents will happen, keeping leadership informed even when minor issues arise and are effectively contained or mitigated.

The hospital was recently targeted in a DDos attack by KillNet as a demonstration of anger against the United States for its support of Ukraine in its conflict with Russia. Northside’s website temporarily went down, but they managed to get through it. Martin appreciates the supportive culture at his workplace that fosters open communication with senior leadership. “I never felt that I was being career-challenged. It’s that alignment that says, you know, we’re going to work together. And I know that if I need help, I can reach out to my CFO or COO and go, ‘Hey, this is happening. Here’s the potential impact to care delivery. I need these three things. Can you help me?’ And those things are always made available.” Martin recognizes that not every organization operates in the same way and feels fortunate to be in his role at Northside.

Maintaining composure during incident response

Martin believes that experiencing difficult situations builds self-confidence. He recalls a particularly challenging day during his military training when he participated in the “mask confidence” exercise, which involved sitting in a tear-gas-filled room wearing a mask and then removing it upon the drill sergeant’s command. This experience taught him that no day in security would be as challenging as some of the things he faced in the military. When dealing with incident response, he reminds himself, “I’ve been through worse, right?” This mindset helps him remain composed when handling security incidents and crises.

As a leader, it is crucial to stay calm to prevent distressing others. Martin explains that when employees see their leader visibly distraught or lacking confidence, they may question their own position. Conversely, working with someone competent and confident who can adapt when needed helps reduce friction during incident response and bolsters team morale.

Martin likens incident response to the military’s approach of empowering its members to perform their mission — the commander’s intent — by defining the desired outcome, rather than dictating the specific methods. As an executive, he focuses on communicating the required outcome or deliverable and ensuring his team has the necessary resources to accomplish their tasks. By hiring the right people at all levels and establishing clear expectations, the tension during incident response can be significantly reduced, allowing the team to concentrate on rapid recovery.

Conclusion

Martin Fisher’s experience in the cybersecurity field underscores the importance of prioritizing mental health, building a cohesive team, and keeping one’s cool in challenging situations. By embracing hobbies, advocating for mental health care, and focusing on the right priorities, CISOs can navigate the challenges of their roles more effectively. Martin’s experiences and advice serve as valuable lessons for current and aspiring CISOs, emphasizing the value of personal well-being and team dynamics in achieving success.

Listen to the Podcast

To dive deeper into Martin’s insights and experiences, listen to the full episode or read the transcript.