The Scale and Complexity of Federal Healthcare Security
Robert Wood, former CISO of the Centers for Medicare and Medicaid Services (CMS), discusses the unique challenges of protecting the nation's largest healthcare payer serving 130 million Americans. The conversation reveals the dramatic shift from leading a small startup security team to overseeing hundreds of personnel responsible for securing critical federal healthcare infrastructure. Wood describes the inverted staffing model common in government agencies, where approximately 50 federal employees oversee more than 400 contractor personnel across security operations, privacy, compliance, and risk management functions. This contractor-heavy structure creates complex supply chain dependencies with multiple layers of subcontracting, where operational work is performed by external organizations using their own tools and infrastructure. The discussion highlights how this dynamic fundamentally differs from private sector security operations and introduces unique accountability challenges when managing risk across boundaries the CISO doesn't directly control.
Managing Major Incidents Across Organizational Boundaries
Wood shares firsthand experiences managing critical incidents including SolarWinds, MOVEit, and Log4J while at CMS, emphasizing that all major incidents occurred outside the agency on agency data or programs. This reality created the fundamental challenge of managing risk without direct control, relying instead on policy, direction, and accountability mechanisms that often proved insufficient. The conversation explores the political pressures and congressional interactions that accompany federal cybersecurity incidents, including the need to provide rapid answers to leadership while coordinating response efforts across multiple contractor organizations. Wood discusses the personal toll of incident response, particularly the dangers of sleep deprivation and the importance of self-care during crisis situations. He emphasizes that technical competence alone is insufficient when navigating the political dynamics with boards, Congress, and senior leadership during high-stakes incidents.
Building Security Data Infrastructure and SBOM Programs
Wood describes a strategic initiative to build a security data lake using Snowflake, expanding beyond traditional telemetry-focused security data collection to incorporate business intelligence data for correlation and analysis. This effort aligned with Executive Order 14028's Software Bill of Materials (SBOM) mandate, which required organizations selling to the government to provide software supply chain transparency. Despite industry complaints about the mandate's utility, Wood explains how SBOM collection proved tremendously valuable during zero-day incidents like MOVEit, enabling rapid queries to determine which contractor environments were using vulnerable components. The initiative represented a shift toward proactive asset management and supply chain visibility in an environment where contractors often couldn't quickly answer basic questions about their technology stacks. This technical infrastructure investment aimed to address the fundamental information gap that made risk management across contractor boundaries so challenging.
Leadership Lessons: Mission Focus and Communication Skills
Reflecting on his career progression, Wood emphasizes the critical importance of grounding security work in the organization's core mission rather than getting swept up in anxiety about vulnerabilities and breaches. He describes how security leaders must prioritize mission enablement over security perfection, recognizing that operational continuity is often the primary organizational mandate. Wood shares advice he gives to emerging security leaders about avoiding unsustainable patterns driven by good intentions, warning that trying to carry the world on your shoulders will eventually bury you. He stresses the value of practicing business communication skills, describing how his wife's coaching on public speaking helped him translate technical concepts for executive stakeholders. Wood recounts an early career experience where he fumbled explaining red team results to a bank executive because he could only provide technical answers, highlighting how the ability to build coalitions and work collaboratively across teams is essential for security effectiveness. The conversation concludes with his core advice: understand your mission, know your stakeholders, and test every initiative against those first principles.
