​“create your long, medium and short term plans and then you work on them.”

CISO Interview Series: Vladimir Petranovic, CISO , Atlantis Healthcare

Healthcare I would assume has a low risk profile as it is an organisation focused on wellbeing and good health. Is this a naïve assumption and in fact your organisation is targeted as much as others?

This is very naïve assumption but unfortunately prevalent not only in general public, but also within healthcare IT and senior management. This is especially visible with small healthcare providers that don’t have enough resources to dedicate to security and risk management. And risks are huge; there are privacy issues related to patients data, governmental restrictions and standards required for holding and processing patients data and sovereignty issues if the organisation is multi-national where each nation has different rules and regulations.

I’m interested in understanding how you engage with the business folks in healthcare? Assuming many of them are doctors and administrators do they understand the importance of cyber security?

Most of them support security initiatives, but when it comes to execution there is not enough will and determination to invest in security. However the same people hit the quite high hurdle when they start to negotiate with government organisations and customers that require certain levels of security posture.

On a scale 1-5, do you expect that your investment on Cyber & Information Security will be increased over the next 3-5 years? What’s going to drive that?

Obviously it should be 5, simply because most of healthcare organisations are significantly lagging behind security requirements and regulations, so they will need to catch up in order to survive.


Could you describe your average day as CISO? Do you have a particular routine for the start and end of day??

Every day is different, but I usually start working at 6 AM so I’m well prepared for the next day. I don’t like surprises so my first activity is to check security news and statuses.

How do you balance your own bandwidth between attention on your longer term security agenda and today's issue that has just arisen?

You need to create your long, medium and short term plans and then you work on them. Then you need to create your priorities and make decision where are you going to channel your energy in that moment. It all depends on priorities.

I’ve heard that “information that healthcare organisations his anywhere from 50 to 250 times more valuable than other personal information”

So if I was a hacker, then there is some really interesting personal information that would be stored by Atlantis Health. How do you secure these ‘crown jewels’?

I can’t put the monetary value on personal information. If breached it could mean big reputational hit to an organisation and even the end of that organisation. The governmental organisations are very strict and conservative when it comes to personal information leakage and breaches usually end up on TV news with health minister having several microphones under his(hers) nose.

To protect private information you need to make sure you follow all the health standards, rules and regulations in the first place, then you need to assess your specific risks and devise countermeasures to eliminate them.

What percentage of your records are digitized and how much are scanned documents? Do you apply the same security framework to both media?

Most of records are in digitized form, only the small proportion of records are in physical form. Security of the information in the physical form is also under the realm of CISOs and sometimes it is easier to explain security issues of physical documentation then electronic documentation. You simply cannot allow the situations like the one where private documents were floating down the road just because nobody expected flooding risk.

For Best Practices where do you look to understand this in both general terms and more specifically around your own domain?

For me best practices are for general type of organisations like textile factory, forestry etc. Healthcare is under strict regulation from the government and has to satisfy the same requirements as the other governmental organisations (internal affairs, police, military).

Are you more concerned about the internal technology vulnerabilities or of rogue insiders?

These days if you say that you are concerned about rogue employees you will probably be on the aim of internal politically correct watch keepers. So you don’t say it. You run security awareness programs where each presentation starts with the slide that specifies the percentage of internal breaches in other organisations.

When you think about adding new talent into your team. What key attributes that you look for when selecting a new staff member? Also I’m aware that there is a shortage of capability in the industry - how long does it take on average to find new talent?

Personally I look at the completely opposite attributes than typical HR and the rest of CxO team. I look at the quality, expertise and similar categories. Everything else is less relevant.

How do you keep up to date with developments in Cyber Security? I heard another CISO who ensures that his staff are all accredited to be able to ‘hack’, thus they understand vulnerabilities and can ‘defend’

Personally, I like to work on several fronts simultaneously. You need to be member of professional bodies and follow their activities, you need to follow industry developments and you need to follow academic developments and research. If possible you should do academic research by yourself.

Finally, what keeps you awake at night?

A good sports event or movie.


Join the CSO newsletter!

Error: Please check your email address.

Tags CISO interviewVladimir PetranovicAtlantis HealthcareDavid GeeCSO Australia

More about

Show Comments

Editor's Recommendations

Solution Centres

Events

View all events Submit your own security event

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Media Release

More media release

Market Place