Cyber Savvy: Protecting Vital Signs with Nicholas Schopperth, CISO at Dayton Children’s Hospital

Welcome to the fifth edition of Cyber Savvy, a blog series offering expert insights from top cybersecurity professionals. In each installment, we engage with a diverse group of security leaders to gain new perspectives on the ever-evolving threat landscape. Through these interviews, we delve into their unique career journeys, highlighting the challenges they've faced and their notable achievements.

In this article, we chatted with Nicholas Schopperth, CISO at Dayton Children’s Hospital. An Air Force veteran with over a decade in cybersecurity, Schopperth is dedicated to protecting every aspect of the hospital from cyberattacks. He leads a proactive team that handles threats ranging from phishing attempts to state-sponsored attacks. He values continuous learning, having transitioned from systems administration to cybersecurity during his military career before joining Dayton Children’s in 2022. Here’s what Nick had to share about his journey.

What are your biggest security concerns/challenges as a CISO?

A: As a healthcare CISO, my two biggest concerns are ransomware and loss of patient data. The biggest challenge to address these has really been making sure my team is seen as a partner instead of the boogeyman. The leadership here does understand the importance of what we do, but there is always a balancing act that happens. Our mission is the relentless pursuit of optimal health for every child within our reach, my teams’ function is just a small part of that mission. We enable the mission to happen by providing the most secure network we can with the resources available to us.

What new challenges do you anticipate in the coming year?

A: My biggest focus for the next year is working to make sure our current tool set is optimized for defense of our network. We had several events before last year that helped me get a fairly substantial increase in budget. This is a double-edged sword…those investments have really helped our security posture, but that increased posture meant it was harder to ask for new tools. However, this gives my team a great opportunity to make sure we’re using what we have to its fullest ability. That is the focus this year; to look at our existing stack and make sure we're taking advantage of everything we can instead of buying another product that does the same thing.

How is your team adapting to the evolving threat landscape?

A: We do our best to keep current through different sources. We attend webinars or local conferences and summits, we receive threat intel from multiple sources, and read daily news to see what happened while we slept. My team is small, but we have some really great partners that help keep us secured. We rely on and learn from their expertise to make us better.

What do you consider your most important success metric?

A: From a cybersecurity perspective, I like to look at response and remediation times. Data points like time-to-detection and time-to-remediation are a great way to show how successful the security side of my team is. I also lead identity and access management, this is where I muddy my response a little bit. The most important metric with IAM is a combination of accurately closing tickets on time and closing backlogged tickets.

What are your three biggest goals for the coming year?

A:

1. We are migrating to a more robust endpoint detection and response software. We have several thousand endpoints, but we have a partner assisting us and we’re hoping for a very smooth transition.

2. We started an identity governance project a couple years ago which has been fraught with delays. I think (or hope) we are finally nearing the end of the project and are able to completely flip the go-live switch.

3. We measure our program maturity using a combination of CIS Controls, HICP, and will be implementing the Cybersecurity Performance Goals from HHS. My BHAG is to cross reference each item, align them with each other, and provide supporting documentation/evidence for all areas…we’ll see how well that goes.

What new trends in cybersecurity excite you right now?

A: Although it’s not new, I've been looking deeper into attack surface management lately. When we know what assets are exposed, it is much easier to manage the associated risks. The unknown is most concerning for me. As an example, we were working with an ASM vendor and they found some concerns they wanted to address with us before our scheduled call. One device name led them to believe it was a domain controller exposed on the Internet. Fortunately for us, it was not our asset. Unfortunately, it was indeed a domain controller. We were able to coordinate with the owning organization that didn’t know that device was exposed. The unknowns worry me the most, leveraging an expert in ASM is our next logical move.

Are there any security leaders, besides yourself, that you look to for guidance?

A: There aren’t any specific individuals, but I am in a couple different groups of healthcare leaders. Groups like the Healthcare-ISAC and the Children’s Hospital Association have some amazing sub-groups where we share advice and ask questions. Another group is a more local/regional group of healthcare security professionals. We usually meet monthly and talk about anything hot for everyone or something that is pressing for one or two people. All of these groups are great for bouncing ideas around, asking about products/vendors, or even quickly sharing information on current security issues.

What advice do you have for other CISOs or aspiring CISOs?

A: Sleep now, you won’t be able to later 😉. Seriously, my path to CISO was atypical. When I was transitioning out of the military, I did not want to lead, I didn’t want to be the chief of anything, I just wanted to bang on a keyboard. I quickly found out that my technical skills were not as high as I wanted them to be, so I leaned on my leadership abilities. As a CISO, know that your time on keyboard will most likely be limited. You will be a leader, a mentor, and an ambassador for cybersecurity. Get comfortable politicking, you will need to translate the beeps and squeaks into business when talking to anyone outside of IT.

Want to learn more from Nick? You can connect with him here.

In our upcoming Cyber Savvy segment, we'll be conversing with yet another security expert to explore their perspectives on the constantly shifting threat environment. Whether you're a seasoned CISO, aspiring security analyst, or simply curious about industry insights, this is an opportunity you won't want to overlook.

Want to be featured yourself? Contact us here and we’ll be in touch!