Topics:
Bob Maley’s career in cybersecurity includes prominent leadership roles at PayPal as head of its Global Third-Party Security and Inspections team, and as CISO for the Commonwealth of Pennsylvania. Currently the Chief Security Officer at Black Kite, Maley has unique insight into the development, implementation, and oversight of private- and public-sector risk management programs.
On the Nexus Podcast, Maley discussed the resource challenges facing not only critical infrastructure asset owners and operators, but also how those challenges are impacting risk-management efforts in critical industries.
“We have an opportunity, I think, to change how we've done things in the past, especially in the private sector, [and] critical infrastructure.”
—Bob Maley
“I think there's a resource challenge everywhere,” Maley said. “You know the battle that we're in with bad actors; they are far more agile than us. They are more resilient. They can pivot. And it seems like sometimes they have better resources than a lot of places do. That's the lay of the battlefield.
“We have an opportunity, I think, to change how we've done things in the past,” Maley said, “especially in the private sector, [and] critical infrastructure.”
The key—especially in light of overall budget cuts and Medicare cuts in the Big Beautiful Bill Act impacting rural healthcare in particular—is that CISOs align their risk management programs to improve the organization’s core competencies and deliver business objectives.
“I'm about quantification of risk, understanding risk in dollars and cents, understanding X-exposure and how that exposure connects to the bottom line in the business,” Maley said.
For hospitals, including smaller rural hospitals who could be hardest hit by budget cuts, patient care and safety is the bottom line. Maley said CISOs must have visibility into systems where any downtime equates to, for example, degradation of patient care, in addition to lost revenue.
“If we can prevent one 24-hour ER outage and not cancel 37 procedures, not delay 14-stroke interventions, and not erase $420,000 in net revenue—if I as a CISO I can talk like that with the people at the hospital who are running the budget, guess what, I've got a better chance of not getting budget cut.”
Security leaders, especially those in the public sector, are also facing pressure from impending regulatory changes, from gaps in the security workforce, and also from longstanding technology issues, in particular legacy technology still prominent in sectors such as manufacturing and healthcare creating excessive technical debt. Legacy technology in many industries cannot be ripped out without significant interruptions to service, for example.
“Infrastructure can't go down. And if you patch the technology that runs the infrastructure and the patches break it and take it down, well, from a certain point of view, that might be worse than it actually being attacked,” Maley said. “We've really got to become agile on how we do that.”
Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.
