today we have another great interview for you! Meet Saqib Chaudhry, CISO of Cleveland Clinic Abu Dhabi. We have spoken about cyber security in health care industry, studying in Harvard and certificates. Dive in!
[eForensics Magazine]: Hello Saqib, how have you been doing? Can you introduce yourself to our readers?
[Saqib Chaudhry]: Hi Marta, I am doing well. I consider myself a technology enthusiast and a futurist with leadership experience in Information Technology, Cyber Security, Enterprise Risk Management, Business Resilience, and IT Internal Audit & Compliance.
Most of my career has been spent working as a consultant, with firms such as Deloitte & Touché and Grant Thornton. These firms provided me with a strong business and technical foundation while also giving me the opportunity to develop and implement comprehensive operational strategies and solutions for numerous organizations across North America and the Middle East, spanning across various industries including Healthcare, Telecom, Energy, Oil & Gas, Manufacturing, Pharmaceutical, Financial, Law Enforcement and Government.
[eFM]: You are a CISO at Cleveland Clinic Abu Dhabi (CCAD). Can you tell us, what are your main responsibilities there?
[SC]: I would divide my responsibilities into the following three areas:
1 - Operations: Managing Information Security, Network, Unified Communications, and the IT Planning & Development teams; ensuring that the related Key Performance Indicators (KPIs) are met and Key Risk Indicator (KRIs) are managed and improved.
2 - Regulatory Compliance: Identifying and rationalizing applicable (global/regional) regulatory requirements related to Information Security. Developing approaches to achieve compliance in a manner amicable with the organizational goals and objectives.
3 - Strategy and Governance: Formulating an Information Security strategy that is inline with our organizational strategy of becoming a fully digital hospital. Developing and executing an Information Security Management System (ISMS) that governs the overall Information Security program.
[eFM]: Which areas prove to be the most challenging?
[SC]: The most challenging, yet equally rewarding, areas include:
- Keeping pace with Digital Transformation in terms of overall Information Security governance and data privacy.
- Protection against exponential increase in advanced threats such as Advanced Persistent Threats (APTs) and Zero Days, etc.
- Keeping up with the growing rigors of regulatory compliance.
- Protection of medical devices that require network connectivity.
[eFM]: CCAD provides U.S. model of treatment in Abu Dhabi. Is it private? What would you say is the main difference between hospitals in the U.S. and CCAD?
[SC]: CCAD is an Abu Dhabi government-owned hospital that was established as a result of an agreement between Mubadala Development Company and the US-based Cleveland Clinic in support of Abu Dhabi’s Economic Vision of 2030 to develop a robust, world-class healthcare sector in the emirate.
From a perspective of excellence in terms of technology, expertise, and the delivery of care, the hospital follows the US-based Cleveland Clinic model of care. The difference lies in the local culture, people’s economic and social norms, and general awareness related to health related lifestyle practices.
[eFM]: What do you think about recent attacks on health care? Why does it happen? Why would anybody like to attack a place, where people are being helped?
[SC]: The two main reasons why the healthcare industry is becoming the key target of cyber-attacks are as follows:
- Cybersecurity approach of the healthcare industry as a whole is behind the times. In the era of Digital Transformation, the healthcare industry has not taken adequate measures in keeping itself secure against malicious cyber activities and insider threats that have rapidly increased in intensity, magnitude and complexity.
- Healthcare data is becoming more lucrative for cyber-criminals who either sell the data on the black market or encrypt it and then extort ransom (ransomware) from the healthcare provider.
Medical records, in general, contain much more Personally Identifiable Information than records maintained by other industries. A typical healthcare record may include information such as credit card data, email addresses, insurance, social security numbers, employment information and medical history, much of which remains valid for years, if not decades. Cyber-criminals are using this data to launch spear-phishing attacks, commit fraud and steal medical identities.
As per Robert Gregg, Chief Executive of ID Experts, “A financial identity can be worth $5 to $10 if you have all the info. A medical identity can be five to 10 times that amount just because how easy it is to monetize that information once the bad guys get it.”
[eFM]: What advice would you give to other hospitals? What should they do in order to prevent the cyber-attack?
[SC]: I believe CISOs should rethink their overall Information Security strategy to keep up with the pace of digitalization. With the growing use of Cloud, Social Media, Big Data Analytics, Mobile Computing, Robotics, telemedicine, etc., it will be beneficial to drift away from the traditional Device-Centric strategy and start moving towards a Data-Centric approach. Ideally, if you are able to implement appropriate data security & privacy controls at the source, then depending on where that data flows the overall risk will be manageable.
Additionally, to better protect IT networks against Zero Days/APTs, a CISO should consider investing time and resources into:
- Next generation security solutions that make use of promising technologies such as Context Based detection/prevention and Artificial Intelligence (AI).
- Advanced analytics including user behavior analytics, system behavior analytics, and threat modeling.
- Innovative ways of conducting Information Security User Awareness, including gamification, animation, info graphics, etc.
[eFM]: Since the Cleveland Clinic is an extension of a US-based hospital, do you think it has to face many more attacks than a “native” clinic or hospital? Just because there is more data and money included or because it’s a foreign company?
[SC]: I certainly wouldn’t preclude the possibility that since CCAD is an extension of a US-based globally renowned hospital; it is on the radar of cyber-criminals globally. However, there are a couple more compelling reasons including:
- The fact that United Arab Emirates (UAE) is now the second most targeted country (by cyber-criminals) in the world, second only to the United States; according to the UAE’s Cyber Security Centre.
- The geopolitical atmosphere in the Middle-East where nation state actors, in addition to cyber-criminals, may also be involved in conducting malicious cyber activities.
[eFM]: Wow, you graduated from Harvard. Maybe this is a stupid question, but was it hard? Was it worth it? Would you recommend it to future cyber security professionals?
[SC]: I have completed an Executive Education course on Cybersecurity from Harvard University and am currently pursuing a graduate (Masters) degree in Information Management Systems with a focus on Cybersecurity.
I would consider a Harvard education as state-of-the-art and enabler of critical thinking. I certainly have benefited from the education that I have received thus far, and would recommend it to any cyber security professional.
[eFM]: What is so special about studying there? And what counts more in cyber security world, education or passion?
[SC]: The real differentiator, I believe, is the learning from faculty who are regarded as thought leaders in their respective areas providing both strategic and tactical perspective in tackling real life business problems. This also goes hand-in-hand with the competence of my fellow-classmates, as they are also leaders in their respective fields and have real world experiences to share.
I believe passion and education are equally important for professional growth in any field. Education can help you discover an area for which you may develop a passion. Similarly, education may help you in discovering ways to excel in a field that you may be passionate about.
[eFM]: In cybersecurity, in general, there are many options for education, there is formal, university education, there are other courses, certifications… Which would you consider the most important?
[SC]: As the Information Security field becomes more competitive, the right mix of formal university education and certification will be needed to keep an edge over the competition. From a certification point of view, I would recommend the following certifications:
- Certified Information System Security Professional (CISSP)
- Certified Ethical Hacker (CEH)
- GIAC Security Essentials (GSEC)
- Certified in Risk and Information Systems Control (CRISC)
- Certified Information Systems Auditor (CISA)
Additionally, I would recommend attending Information Security related conferences such as Black Hat, DEF CON, SANS, RSA, etc., to stay abreast of the leading and bleeding edge technologies and solutions.
[eFM]: Why did you leave US? You have a great education, amazing experience in top companies...
[SC]: To gain global experience, especially in an emerging economy.
[eFM]: Can you tell us something about the FBI Certificate, Cyber Security Threat Management and Incident Response?
[SC]: In 2015, I was selected as one of the 28 U.S. Chief Information Security Officers for the inaugural FBI CISO Academy course at Quantico, Virginia. The course provided useful insights into:
- the current state of cybersecurity across the globe;
- key cybersecurity challenges faced by governments and the private sector; and
- tips and tricks for preparing for and responding to cybersecurity incidents.
[eFM]: Is there is any challenge your company is facing at the moment?
[SC]: There are some inherent challenges related to being a state of the art Greenfield organization and due to the fact that our goal is to become a fully digitalized hospital.
Nothing unique to our organization per se and nothing that cannot be overcome with time and resources.
[eFM]: What do you like to do in your spare time?
[SC]: I like to travel and read about history, philosophy, current affairs, and future technologies.
[eFM]: Do you have any piece of advice for our readers?
[SC]: Don’t be afraid of failure. Remember that “Best Practices” are derived from lessons learned, which are accumulations of both failures and successes. Should you fail, quickly conduct a ‘lessons learned’ and move on to pursuing your goals.
A thought leader and futurist with over 17 years of experience in Cyber Security, IT Infrastructure, Enterprise Risk Management, Business Resilience, Data Privacy, Internal Audit and Compliance. In his current role as the Chief Information Security Officer (CISO) at Cleveland Clinic Abu Dhabi (CCAD), Saqib is responsible for the implementation and management of the overall Information Security program. In addition, Saqib is also tasked with managing the IT Network Infrastructure, Unified Communications, and Infrastructure Planning & Development functions at CCAD.
Prior to joining CCAD, Saqib had worked with Deloitte & Touche Middle East as the MENA regional leader for Business Resilience and for Deloitte & Touche US as a Security & Privacy Practitioner. Throughout his career, Saqib has led the design & implementation of numerous Technology, Cyber Security, Privacy, and Risk projects for clients based in North America, Europe, Middle East, and South Asia. Saqib has a breadth of experience in designing innovative strategic solutions for organizations across various industries including Healthcare, Telecom, Oil & Gas, Nuclear, Law Enforcement, Financial, & Government.
Saqib is currently pursuing a Master’s degree in Information Management Systems with focus on Cyber Security from Harvard University, USA and is an Alumni of US Federal Bureau of Investigation (FBI)’s CISO Academy.
Linkedin Profile: Saqib
Link to my latest podcast on Cyber Security Awareness is as follows: brighttalk