Cybersecurity Budget. PHOTO: Cybercrime Magazine.

CISO Report: Every Dollar Counts When It Comes To Cybersecurity

Fortune 100 CSO Paul Connelly talks ROI

David Braue

Melbourne, Australia – Oct. 25, 2022

The CISO Report is sponsored by KnowBe4.

Developing and delivering a security architecture is hard enough at standalone companies with just one or a few sites — but things, Paul Connelly admits, go to a whole other level as he works to balance everyday cybersecurity activities with evaluating and applying the never-ending parade of new tools and technologies.

As chief security officer of Nashville, Tennessee-based HCA Healthcare — a Fortune 100 company delivering services across 182 hospitals and 2,300 sites in 20 states and the United Kingdom — Connelly knows all too well what a juggling act it can be to just keep up.

“Between phone calls and emails, text messages and LinkedIn, every day I probably get at least 50 companies reaching out to me,” Connelly told Cybercrime Magazine. “There are so many good ideas, and for every one of them the company thinks they absolutely could solve a problem for us.”

“But we’ve got to figure out how it is going to fit in with everything else we have going on,” he continued, “and no matter how good the value proposition is, there’s just no way I can spend the time looking at that when I’m trying to run an organization.”

Fortunately, Connelly said, his company is large enough that he can delegate technology appraisals to internal specialists and outside groups who focus on looking at new technology.



Throw in the ever-expanding learnings from colleagues and peer organizations, and there’s a lot of information and support available to deal with what Connelly called the “overwhelming” challenge — but ultimately, he said, “it comes back to the leader of the program and their business leaders focusing on the most important risks.”

“If you’ve got $1 to spend, where are you going to invest it where you can make the biggest difference on the risk?”

Staffing remains a key issue for a company so large and so far-flung — yet Connelly believes recent industry efforts to bring people into cybersecurity are bearing fruit.

“We’ve also changed our focus,” he said. “Whereas 10 years ago we would not even look at somebody if they didn’t have five years of experience, today we’re looking at people for internships that will lead right into full-time jobs when they graduate from college.”

“We’ve adjusted, and we’re building more of a ladder of growth for people.”

Spending to keep up

Cost-effectively tapping people and technology to manage cyber risk has become crucial in recent years as boards, executives, and markets awaken to the realities of the financial, reputational, and operational damage that cybercrime poses.

The problem has been particularly pointed in the healthcare industry — which has been increasingly targeted during the pandemic and will collectively spend $125 billion on cybersecurity between 2020 and 2025, Cybersecurity Ventures has predicted.

“It’s incredible the number of ways you can get hit as an organization and the way the dollars add up,” Connelly said. “As an organization, the amount that we’re investing to try to counter that is growing at double-digit range as well.”

“For us, it’s all about the threat to operations, and the threat to the trust of our patients if their personal information were to be disclosed.”

Everything about the industry is bigger and bolder now than back when Connelly started his career, joining the National Security Agency (NSA) fresh from the University of Florida, from which he graduated with a Masters of Food & Resource Economics in 1982.

Back then, cybersecurity was barely a thing and Connelly — as an information security analyst working on an NSA team evaluating security systems at the White House — spent five years building his cybersecurity expertise before being retasked to the White House.

There, as Information Security Officer (ISO), he began a two-year project to build a cybersecurity program from the ground up — and ultimately stayed for nine years, working in cybersecurity under Presidents Reagan, Bush, and Clinton.

“It was an incredible experience,” he recalled. “Every time I walked through those big iron gates, I felt a chill.”

“I had the opportunity to interact with incredible people and senior leaders of the country. It was just an extraordinary experience, and I’ve carried forward lessons learned through my whole career.”

A stint with PricewaterhouseCoopers ultimately led him to HCA Healthcare — where he began working in 2002 and is still managing security, 20 years later.

That’s a significant achievement in an era of short CISO tenures, and Connelly is well aware of the challenges that the industry continues to face as cybersecurity evolved from being a marginal issue in the 1980s into the defining risk that it is today.

“It’s incredible how it has grown,” he said, “and the number of startups and the number of brilliant ideas: people, instead of inventing other things, are putting their attention on inventing great new ways to [help you] protect yourself.”

“And that’s a good thing, because this has become a board-level issue for companies. It just continues to get more and more serious.”

Yet meeting that challenge head-on requires more than being technically adept: to maintain the kind of continuity required to secure large companies, Connelly said, CISOs need to ensure they are also spending time focusing on the people element.

“In addition to being a cybersecurity leader, you’ve got to be a people leader,” he explained. “You’ve got to create an environment where people want to work, and you’ve got to provide opportunities to grow and tackle new challenges.”

“People are passionate about being part of an organization that is taking care of people, and that maybe gives us a bit of a retention advantage in some cases.”

“But you’ve got to care as a manager, providing people that full package of opportunity, working in an organization and a culture that they want to be in.”

– David Braue is an award-winning technology writer based in Melbourne, Australia.

Go here to read all of David’s Cybercrime Magazine articles.


Sponsored by KnowBe4

KnowBe4 is the provider of the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. We help you address the human element of security by raising awareness about ransomware, CEO fraud and other social engineering tactics through a new-school approach to awareness training on security. Tens of thousands of organizations like yours rely on us to mobilize your end users as your last line of defense.