Please tell us a bit about yourself, your background, and your journey of becoming a CISO at Help at Home
My name is Chris Lockery, I am from the Hartford, CT area and I have been in Cybersecurity for 20 years. I have my undergrad in MIS from the University of Connecticut (go Huskies!) and my MBA from the University of Hartford.
I started off performing vulnerability and risk assessments and found my passion in intrusion detection and incident response. I was able to lead the build-out of global security operations centers for a Fortune 20 healthcare company and we were on the cutting edge of deploying large-scale SIEMs, comprehensive DLP and were early adopters to formalizing threat intel, hunt and red/blue/purple teams in our industry.
Almost two years ago I took the opportunity to lead the cybersecurity and infrastructure organizations at Help at Home as VP CISO and Head of IT Infrastructure.
What drew you into working for Help at Home and what does your current role entail for such a unique organization?
I took the opportunity to lead the cybersecurity and infrastructure organizations at Help at Home because of the noble mission to help elderly and disabled individuals have great days and meaningful moments and allow people to age with dignity at home which is where the majority of people want to reside. That coupled with the amazing leadership team and the rapid growth really made me passionate about helping the company continue to grow and deliver on our mission.
My role entails leading the secure build-out of our core infrastructure and cloud services and maturing the cybersecurity program that supports 170 branch offices and over 50K caregivers in a dozen states and growing.
What is the most common misconception that people have about information security within the Healthcare industry or in general?
One of the most common misconceptions about cybersecurity is that it is solely an IT issue. Many assume that simply implementing technology solutions such as firewalls and anti-virus software is sufficient to secure an organization. In reality, information security is a business challenge that requires a comprehensive approach including integration with enterprise risk management and compliance functions, employee training and education, robust policies, and building products that are secure by design. Additionally, many people assume that cyberattacks can only target electronic health records when in reality attacks can also target medical devices and wearables that may not have robust security protections.
What challenges do organizations face in general when managing third-party risk?
Many large organizations struggle with the complexity and volume of third-party relationships in an ecosystem that relies more on the supply chain and cloud services than ever. The interdependencies between multi-cloud and hybrid delivery models, Software as a Service, and 4th party (sub-contractor) relationships can be a daunting task for organizations to manage.
The global privacy and regulatory landscape has become more complex and strict over the last several years as well in terms of data residency requirements and breach notification laws that differ in every state and country. Ultimately you can outsource responsibility but you can’t outsource liability. Organizations must continue to perform due diligence on third-party suppliers and seek to automate this function and supplement it with real-time threat intelligence wherever possible.
On a more personal note, what values are most important to you as a leader?
Trust is the number one factor for people on my team and it’s bi-directional. You have to have people who are open to honest feedback and you have to be willing as a leader to take feedback from your team to continuously improve. In addition, the team mentality is critical. One of my favorite quotes is by Coach John Wooden, “A player who makes the team great is better than a great player.” I have definitely experienced situations where you may have a truly great talent on a team but if they seek to grab all the glory and leave their team members behind you will ultimately have fewer victories than with a team that lifts each other up. I try to live by that example and look for people on my team who will do the same.