Why CISO Taylor Lehmann couldn’t pass up coming to Google

“You don’t get religion on cybersecurity from security incidents,” says the chief information security officer.
article cover


· 4 min read

Taylor Lehmann likes to say he’s had almost every job in security, in almost every facet of healthcare. In addition to previous roles as CIO and consultant, he has been a chief information security officer at the health system Tufts Medicine and the medical IT-services provider Athena Health. His title these days is director, office of the CISO for Google Cloud Health.

His responsibilities at Google, Lehmann said, include assisting healthcare customers as they adopt cloud-based automation and the high-powered data processing that supports workplace functions such as automatic scheduling, discharge notes, and shift-change alerts.

“It’s fun to be able to work [at Google] on some of these harder problems that you can only really see once you’ve experienced them from all these different vantage points,” Lehmann said.

In a conversation with IT Brew, Lehmann talked about those harder problems, secure data practices, hospitals’ movements to the cloud, and the unique threats to healthcare environments.

This interview has been edited for length and clarity.

It seems tough to be a confident CISO of a hospital because there are so many risks. What strategies can help provide a level of assurance?

I think what most high-performing CISOs do is, number one, they participate in intelligence-sharing religiously: That is, building small, growing networks between themselves, their peers, and other organizations that kind of fit within the threat landscape that they face, have similarities, and then have a shared belief or goal that an attack on one is an attack on all. Therefore, the better able they are to learn from the things they see, and share them, the better protected all of these organizations will be.

Google’s a huge believer in this, and this is where relationships with the Information Sharing and Analysis Center (ISACs) are a big deal for us.

And what tools can help provide assurance?

Make sure you have a consistent end-product every time you do something. And that in and of itself can eliminate entire classes of threats that we see: making sure every workload deploys minimum sets of encryption, that every workload is created within a secure perimeter, that every identity accessing that perimeter is coming from a known and trusted source. And not just when you set it up, but continuously after it’s up and running; that gives you a ton of visibility into what’s working and what’s not.

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

So, instead of having to focus on every bazillion-level threat, you can say, “Well, I’ve got X percent of the threats that I think are relevant and completely addressed through architecture.” That gives me time to actually go focus on the remaining percentage of things that I’m probably less comfortable and certain on, which if you ask any CISO in this business, being able to at least focus on the most capable and highest-likelihood attackers versus all of the attackers is a position you kind of want to be in.

You talked about solving hard problems. What’s the toughest problem for healthcare CISOs to solve right now?

I’m a firm believer that you don’t get religion on cybersecurity from security incidents. That’s the wrong time to learn that this is important stuff. I also certainly don’t agree that we need, necessarily, laws and regulations to compel organizations to do the right thing when it comes to cybersecurity, because we talked about the downsides of getting this wrong in healthcare: It’s more than just you lose a bunch of records.

And yet, I see organizations struggling to understand what they need to do to operate a reasonable security program that appropriately balances risk, especially now, in light of some of the SEC rules around incident reporting and board governance.

I see us really shifting organizational culture to understand the serious nature of the threats that [the organization] faces, and doing more than just security for the purposes of legal compliance. Understanding that the customer—in this case, human safety—is the outcome of a good job and, unfortunately, the downside of a bad job. And I think when you put people, family members, and friends in situations of harm, [security] becomes very important. But it shouldn’t come to that to compel organizations to make the appropriate investments to maintain their technology to invest in cyber.

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.