Brian Carmenatty – Senior Director of IT Services at Femwell Group Health

Posted in: Technology Posted on Posted in:

Brian Carmenatty is an information technology executive & strategist with over 15 years’ experience in diverse disciplines including system infrastructure, security, compliance vendor management, and Service management. He combines deep technical expertise with a strong service management focus. This allows him to work with technical and customer teams to deliver valuable outcomes.

Brian currently leads the IT department for one of the largest MSO’s in the state of Florida which consists of over 300 practices. He has built the foundation for a robust multi-location decentralized IT environment, led standardization post-M&A activities, coordinated compliance and security projects which included encryption, MFA, EDR, and MSSP rollout for the whole organization.

Episode transcription:

F: Thank you for being with us today, Brian. Pleasure to have you here.

B: Thank you.

F: All right. Just to get us started. Just tell us a little bit about yourself and what falls under your oversight within your organization.

B: So I currently work in a healthcare organization, a managed service organization here in Miami area. I oversee currently about 300 plus offices throughout the state of Florida. I handle everything from the IT operations, data center security, a little bit of a mix of different IT aspects. I also oversee all of the vendors from our multiple MSPs. I deal with over 20 different MSPs throughout the state.
And I also manage them and direct them through our different needs in the organization.

F: What are some of the ways in which you can measure the level of maturity and success of a cybersecurity program? Do you have any examples you can share?

B: Yeah. So, you know, there's a few different frameworks out there.
One of the ones we like to look at is the NIST CSF, which is, you know, it's one of the big ones out there. There's a few other ones, depending on what industry you're in, but a lot of this kind of falls into the five key areas, which kind of goes into the identify, protect, detect, respond, and recovery.
And these areas are more or less, you're going to run a baseline across your organization, and then see where you fall within these categories. Okay. You know, it's very hard nowadays to kind of say, hello, how well are you doing in the cyber security realm, especially with all the current threats and different exploits happening out there.
So, that NIST CSF, which is, you know, everybody can look at it up. You can go to nist.gov and see it and download their own spreadsheets and answer the questions. And it does give you a strong high level. So one of the things you do see a lot different when you start answering these things.
You're going to notice quickly that most companies are pretty good on that out of the five elements that you identify, you don't notice. You're pretty good. Most people are doing asset management. Nowadays most people are meeting a lot of the initial scope of, I guess, like the first element of the NIST CSF.
Then you'll start noticing when you get to protect a lot of companies investing heavily there too. For years, that's where we were all putting all of our money, right? Antivirus firewalls, you know, that's where a lot of the protect, then you start getting into detect and respond falls back on your scale a little bit.
You start noticing you've got some weak spots there. In the last few years, that's where our focus has been. Right? Many organizations are starting to try to invest heavily in detect and respond solutions. Then your next gen, EDR is in different things there. And then you get into the recovery phase, which is, more or less, you know, on business continuity and disaster recovery.
So, you know, when you look at these, you want to kind of lay these out. These are great for your board levels. Now I always tell people, you can fill these out and you don't want to say, Hey, we hit a level four. We're good. We're walking away. No. You know, you still want to go in there and say, we are hitting a three to four and maturity, but you want to look at what, where do you want to be?
Where's your company want to be? You also want to look at it from a perspective of, is this right? Do we feel safe enough if we're three, do we still have holes, you know, and that's where you want to start trying to continue to do your thing. Make sure you do a gap analysis. Make sure you do your risk assessments. Continue to do different things like, you know, vulnerability scans and pen tests. Test those measures and that maturity, because sometimes you feel that you're out of a strong number and you might be in a better number here, but you're still not there.
And you wanna make sure you have those when you're clear, especially when you explain this to the board into, and anybody on your own. If you have any compliance committees or, you know, IT committees, you want to make sure that you're explaining to them where you fall, what your maturity state is and what does that mean to them and where do you want to be?

F: You mentioned something to do with the different maturity levels. I think you mentioned level three and level four. Is that something that an organization or let's say any small business that we'll be trying to say got their data from data breaches, is there a specific maturity level that they should be targeting? Or how, how do you guys assess that?

B: Oh, I think it really depends on there's no right or wrong. Right. The whole thing here is this is not compliance at that level. This is more of just understanding where you fall in the aspects. So when you look at this and you go, okay, we're dealing with HIPAA, your security is going to be a little bit stronger and you have to understand the higher you are on that, the higher you are on the scale. Also, the more money you're going to start investing, right? Most companies that are already a stage or at a five in maturity, they know the amount of data they have, and they are heavily investing in security and insecurity on that insecurity on that side from infrastructure.
And, you know, respond, react to the perspective. Now when you're a smaller business, you know, I think you have to look at it from the perspective of how much data do you really have? What are you trying to protect? Are you doing PCI compliance? Okay. Are you storing the credit cards?
You kinda toned that down a little bit, so maybe a two or three might be fine for you, but somebody in these other sectors might look at it and go, Hey, You know, we're hosting systems. We need to make sure we're at that higher level of maturity. And then continuing, because you might be hot there today.
Things change in the market, security, threats, change. And now you're back to a four, you know, a three again, and some of these things are just kind of, when you started looking at the NIST CSF. And he started looking at the documentation there's categories and subcategories, and it might be as simple as just saying, Hey, we asset tag all of our computers, we know what we have out there.
And that puts you in identify. Does that make you more secure than the other person? No, but it just shows that you guys have, and then how good you are in that area. Cause you might meet recovery, but you might not be at the level as a bigger corporation, so you have to kind of find that middle ground, and that really that's a business decision in the end.

F: One last follow up to the response you just provided. I'm curious to know for my risk reward perspective, is it always better to have a third party storing your data? Like I think you mentioned the financial transactions, or do you want to have that data element being stored within your own servers?

B: Okay. Well, this comes out to risk mitigation, right? It kind of falls into when sometimes takes, this is a lot of your industry regulation. In the HIPAA aspect, you know, from my healthcare background, I would say, you know, putting information in the cloud can be done, but, and you know, sometimes if you don't have the staff and you want to push things off to, to have better security, sometimes people feel they have better security.
If they're more resilient by being out in the cloud and that's fine, you just have to make sure you stick with certain things, you know, question just because you're talking to X Y and Z corporation that hosts other companies out there still, you want to make sure that you questioned them and you ask them for, Hey, what, what, you know, what are your current certifications? Are you ISO 2,700? How do you conduct your risk assessments? Will you sign them? And you need the business associate, you know, you want to make sure that if you're going to move things from one to the other that you're meeting all of those aspects, because even if you have it, and that becomes a business choice, saying, Hey, let's keep it on on-prem. Are we going to invest in a data center? Are we going to have the staff to keep that data center going?
If they're not, let's look at cloud is already going to provide the data center. It's going to do this now. Are they going to sign the business associate? Is it going to be private or is it going to be shared across resources?
So, you know, all of this comes into play, and there really is no right or wrong on this. Now I know most companies nowadays are moving cloud sector because. They feel, hey, you know, now we're just going into more of an application management, more than, um, taking on the full responsibility of managing the hardware, having our own data center staff, you know, keeping up with all the certain parts.
So, you know, I see a lot more people moving that route and I think that's where the future is going to go. But you know, we have to do the due diligence from our side within the organizations, within our companies to make sure that all of these vendors that are hosting our systems are following through and giving us, you know, what we need from a security standpoint. This leads to our next question, organizations that have never suffered from cybersecurity breaches tend to have a low risk posture, which essentially refers to the status of the overall cyber security program. that's been implemented by an organization.

F: From your own expertise, what strategic recommendations would you make to companies and businesses that fall under this category so that they don't lower their guard in the expectation that they're unlikely to get hacked?

B: Well, I'm going to start this off with, it's not a matter of if, but when, and I know we've all heard this before, and I'm going to say again, it's not if, but when, and have you been hacked already because many people have already been breached and have no idea or they don't know that. And that's one of the where I like to start.
You cannot, I always try. I know you hear sometimes and say, Hey, I'm unlikely to get hacked. I've heard that many times. You know, I don't have anything to take, what are they going to get from us? But we all have something and regardless if it's for game or for, you know, monetary value or there could be something and we all have to look at it from that perspective, do not let your guard down.
You need to, and what I would recommend is, do your set your risk assessments. Make sure that you're following up and you're making sure that you are meeting certain standards, even from a compliance, even I know it's a checkmark sometimes. And I say, go above that, you know, make sure that you're doing security awareness training.

F: If you want to check to see how would be resilient, figure out if you feel that you can't be hacked. What if you were, how would you bounce back?

B: I recommend most to perform on a tabletop exercise, bring in your C levels, bring in your it. I don't care if it's one or two ID guys, bring them in and see how you would respond.
If on a Monday morning you got up, you received the call that all your services are down and you are dealing with the ransomware attack. And the whole thing about this is making sure that you are ready. Because it isn't about if it's when and when you're ready and you respond and you have an answer to you, have a way to recover from that.
That is the key. And, you know, that's something I do say to every company, does it matter how big, how small we recently just saw a new, some really big hacks out there? You know, FireEye we've had, solar winds. I would not say that any of these companies had, were knowing maturity or had bad security posture.
These are very well known and looked at in the industry. Very highly. And look, you know, and unfortunately, it only takes one thing or one slip up and that's all it takes. And so, just take it, from everybody here and it's a learning and moving forward is, you know, test your test your infrastructure, make sure that you guys are doing more vulnerability scans. Don't wait, don't wait.

F: When talking about the companies that have been hacked before, what's the best response to, you know, this public negativity about a company. Let's say company X got hacked by, and data got exposed, customer data got exposed. What is the best approach and remedy to that kind of a setup?

B: It's a hard one. Unfortunately, every person's going to view it from their own ass, you know, and each person's going to look at this. From their own point of view. Some people are going to say this, they did not do enough. Some are gonna say, you know, it happens. But it's really, you know, I think it's very important to have a response in place for your organization in advance, to know when this happens, how will you address this? How would you respond to it? How are you going to show this? And I respect some of these companies that come out fire. I came out very quickly and said, we were aware of this. They went public. They said, we are going to investigate this. We are going to put these types of remediations in place.
That's to me from my perspective and you know, these is outside of anybody's control. But I honestly think that it says something about a company. You know, hey, we're human. We all make mistakes. We try our hardest. We invest heavily in these security, and these different avenues of security. But in the end, when it does happen, we are there to clean up the mess as well, because if it happened, we need to figure out a way to clean it up and remediate it. So, you know, I think it's just kind of pre-planning and you know, we're going to edit this because it's not going to be a hundred percent.
You're not going to know what's going to happen today. It's malware tomorrow. It's a dos attack. Look at Miami Dade County, who would have expected that. But the whole thing here is saying, we're going to get to the bottom of this. We are investigating it. We're trying to figure out a way to do this.
And we are looking at a way of, you know, remediating this, that it doesn't happen again, looking into the future of cybersecurity. What are some of the latest technology trends that you foresee dominating the cybersecurity industry over the next five years? And how can companies better prepare for them?
I'm going to take it back and say, let's take it to three years because right now, nothing in the IT industry, or even in the security industry is lasting five years anymore. We used to say five years for everything. Right. You know, your plans. And so far, we can barely keep up with what's the threat landscape, and even the IT landscape is changing so fast.
You can't keep up with it. So I would say do three years, don't do five. Let's do these strategic plans of three years and then start looking at it and then looking at the future from that point. From my point of view, I think artificial intelligence is going to play a huge role in this.
I think right now, you know, we're seeing heavy, heavy demands in the security aspect that they need resources. They need people and we don't have them. We don't have people that are meeting the skillsets fast enough. We're not able to keep up with the threats fast enough. And I think artificial intelligence is going to help.
Fill some of those gaps and also help speed up. A lot of these things when it comes down to identifying vulnerabilities, identifying anomalies in networks and trying to get a little bit deeper into that on the other side, I do see that the threat actors are favorite hackers out there.
We'll start using artificial intelligence as well. This is a cat and mouse game, everybody's going to try to stay ahead and if we're using AI to detect, they're going to use AI to evade. And I see that coming, I do see better tools coming out there. I see new things coming out.
I see a lot more cybersecurity firms coming out in the industry, kind of trying to show, you know, trying to put some new systems out there and new frameworks, but you know, overall I do see artificial intelligence playing a huge role in this and changing how we currently operate it.
We can't keep up with the threats, think about it. You know, how many SOC outlets can a company have? How many analysts internally can you have. You know, we're buying all these tools and you don't have the people to manage them.
So you have to automate, you have to help for automated responses, you know? I think that's where the future's headed, or what would you say to those that are opposed to automation at this juncture? Given what you know about what's happening in the industry? I know where that's going.
Unfortunately, a lot of people see it as automation is going to steal the jobs and, you know, we all look at it, right. I look at, I always say automation and I think about that, the totals. And he said, man, I remember when I sat to throw that quarter in there and you know, I haven't seen a toll in years.
So, you know, I understand, but with the tolls being removed, what came after we're technical it jobs, right? We have to keep those. We have to keep that automated. We have to keep those sensors going. We have to keep the photo systems going, and you always have to look at it about. You have to be able to accept change.
And I understand that automation may remove, you know, an analyst job from, checking, you know, 400 lines of event logs coming in all day and looking for that. And it might become easier. You might need three instead of a hundred guys. But, you know what, there's going to be a whole new area of employment.
That's going to open up. Also, we can't just look at it from, Hey, this is the end. And we just have to be able to, to change with it and, and try to say, okay, well, I'm not going to be able to do with that, but my expertise is here and I'm going to be able to do this, this and this. So I think that's going to be the future there.

F: I like that analogy about the toll workers and how that's transformed the industry, there're new jobs that have been created, which is people monitoring those sensors, you know, creating the codes that will be used, you know, with those sensors. So that's a great analogy.

B: Yeah. There's a lot of things that sometimes you gotta dig a little bit deeper to kind of see. How one is cut off, but new things are created. And I say, it's a cycle. Everything that you lose and you gain, you know? And unfortunately most of this stuff is you made it delayed a year or two. Let's say if we didn't do automation, now we do aviation five years later.
Then five years later, it's going to come anyway. So all you're doing is delaying the process. It's going to happen sooner or later. So this is coming down for everything, you know, how many things that an IT technician or a system admin do 10 years ago that they don't do now, you know, and in a few years, my thing would be to make me obsolete and, you know, make me move into another realm.
I would love, I would hate,I would want my guys to stop doing patching. I want systems like, you know, could say different things to take over and automatically do that and detect, so we don't have to have people babysitting that. And it's important. I think it's where we got to go.

F: Right, right. It's important to always upscale here at pro society, I oversee the recruitment division of technical roles, such as deep learning engineers, SRAs, and even ethical hackers. What are some of the in-demand skills that pose a challenge in recruitment within your organization and the cybersecurity landscape?

B: Okay. So that's a good one because honestly I'm going to say everybody wants to be the hacker. And I think that is also creating skill gaps. Everybody wants to be at the top. They want to be the surgeon, but no one wants to be the nurse. And I tell people all the time.
As much as we need the white hats, we also need the security analysts. We still need babies. Baby security guys, right. We still need the security plus the entry level security guys to come in and learn and grow with us as well. And I think what's happening is, and I see it in the market too, with the recruitment that, you know, you read these ads and it's like, Need CISP with five years experience, one book and you read this and you go.
But, you know, like most of those guys are at a higher level. They've been in the industry a long time. They've been doing this for a while. They're not going to come in and want to do a risk assessment. They're not going to want to go out to an office and just do basic things, but there's a lot of growth in a lot of 'em.
You know, things you can learn out there and you don't have to get the CIS. You don't have to be the CSUMB. There's still a lot of avenues. There's a million different certifications out there right now. And there's a lot of things that for some reason, people turn away lately when they see entry and intermediate level.
And I say, we need those in the industry as well. And I think that's the hardest thing to find right now. It's kind of like this gap that you go from entry to like expert. And then you don't find that middle ground anymore. So, you know, there's a lot of job opportunities in those areas.
And sometimes just having those basics in both, feel free just to diversify your portfolio and saying, Hey, I have some IT, I have a little bit of Microsoft background. I have, you know, my eight plus, my security plus, I see people remove all of that and just put security. And it's like, no, put it all. Let us see it. Because guess what, if I'm trying to protect the ware, I want you to have a little bit of VM-ware experience with some security background to kind of fall in that. The same thing, you know, like, Hey, what if you just have basic with any virus, maybe I'm looking for somebody to do threat hunting for me in carbon black.
There's a lot of things out there, and a lot of times you meet with candidates and they're afraid to say other things they've done. And I sell them all. But you, you did a little program. Oh, you did some of this. Oh, tell me a little bit more. And then they're kind of like, they stay a little bit, they look at you weird.
Like you like that. I go, Hey, my background, I was a senior CIS admin for years, you know. I started from the bottom and I moved my way up and I say, sometimes it's important to have all of those. That makes you, so I definitely say, you know, don't be afraid to step in and start these new certifications.
You know, we need the analyst, we still need the entry-level security guys. We need more people to have more understanding of risk and mitigation. Um, you know, identity, access management. There's a lot of room in there. Not everybody has to be the hacker.

F: Do you tend to get creative with your interviewing techniques?

B: Yes. All the time. You know, my thing here is I like people to be themselves. And, in my thing, sometimes I kind of throw things out or I say things and I'm going to take it from an interview, you know, for me from an interviewer perspective to the interviewee, I like to bring it down a notch.
It doesn't have to be like, you know, like this weird tension in the room, I want you to be yourself. And if you're going to work with us, I want you to be the person you are normally, and don't get me wrong. I understand, you know, we have certain heads of kids and you know what I'm saying? And people have to follow certain things and you know, you suit up and you come in there perfect, but be yourself.
And you say, you know, I liked you to break down. And then I say, well, tell me what you've done. I try to put out what you have accomplished. Everybody can put on their resume nowadays. Plus, everybody can put MCSC. Everybody can say, I touched Windows 10 or Server 2019, or I know what active directory is.
What have you done? Like, hey, have you ever, ever had an issue where you try to create an OU and you put it, you know, how do you get, you know, I want to get around certain things, you know, what have you done? You worked with cybersecurity systems. Yeah. What do you do? Oh, you okay. You've worked with current black, you've worked with certain firewalls, you've turned on whatever you do in Microsoft 365.
So my thing is about drawing you out. And what I recommend to candidates is feel free to give a little bit more. Don't so reserved. And I know it's a nervous thing to be in an interview, but when they sit in front of you and I talked to people all the time and try to help kids coming out of school and try to work with them on my own.
And I tell them all the time, you know, tell them what you've done. Cause sometimes the little things you've done, they might be looking for it. Hey, you know, part-time I started doing forms. Why don't you build forms? You're like, oh, give me some idea. You know, sometimes you want to get that out of them.
And I think that's my thing here is kind of like, I throw like a little piece of cheese and I hope that they come to it. You know what I mean? Like, you want to try to get, draw that energy out of them because sometimes I feel like interviews can be very, very stressful. And not everybody's going to be extroverts.
Some people are introverts, you have to pull it out and there might be an amazing person down there in that, and that person right there that might change the way your organization runs.

F: How important are emerging risks in your information, security division, and how can we all better protect ourselves to ensure the security of our data across different online platforms?

B: So, yeah, a lot of things are moving. You know, when you're saying emerging risks, everything has changed and very rapidly for a long time. My threat landscape was nothing more than keeping things secure in my organization. It had onesy-twosies that were out in the office and you know what to do, the risk, the threat landscape and risks have increased when everybody instantly working remotely.
Everybody at home, the certain security before, I was protecting my network. Now you're connecting from your network to my networking. You know, now we've created, we have a whole bunch of different avenues that we were not expecting so fast. Um, so a lot of this comes down to awareness, training, you know, making your employees into the human firewall.
You want everybody to be part of security? You want everybody to feel like I don't care if you're in accounting or if you're in marketing, but you are part of the security department. Each one of you play a huge role in our organization, safety and, one of the things here is now that we're all online and there's so many different things that, you know, shadow it.
People are opening up portals and storing stuff there. And it's training. It's a lot of it there. The single pane of glass that you hear about all the time from sales professionals. You can have it for certain elements. Yes. I can have certain things all tied together and it's trying to get more and more things on that single pane of glass, but there's so many things out there unless you speak to your employees and get them on the same as you. You're fighting, you're going up against everybody at that point, because they're going to be pushing back on you, and you need to be able to identify that.
And kind of saying, Hey, you guys are working with us, so we count on you. And then on top of that, then it's kind of putting the measures in place, you know, start doing, continue with your security awareness training, phishing campaigns, making sure that they understand, make sure that they're getting extra education on this. Make sure that you have the latest next gen antivirus and firewalls out there. You know, the landscape has changed too everywhere. So it's a moving target at this point. So you have to try to look at it from how can I cover as much ground as possible. And a lot of it starts with the employee.

F: Last question. And this is one of my favorite questions. I ask this to all my guests, because it's the same question, but I get different answers because of people's different backgrounds and experiences. So what has helped you to get to where you are today? And what advice would you give to someone that's willing to pursue a career that's similar to yours?

B: I'm going to say that a lot of it is networking. Being outgoing, never saying you've learned enough. And also there is no right path. I'm somebody that, you know, I went through a different path than many people, and no, I feel I've been very successful and I feel many of the individuals out there can be successful just going down their road.
It's just, you have to look at it as everything is an opportunity. Don't ever hold yourself back, looking at it as a perk from a perspective of hey, I didn't finish college. I can't make it. I couldn't get that certification. Listen, there's a bunch of ways to get there.
My way has always been keep your head, keep reading, keep learning, ask questions. Don't feel like you know too much. You always want to surround yourself with people that know more than you. Try to mix yourself, build yourself, build a community, reach out to people or try to mix yourself with people that know more than you.
You want to learn about hacking in the neutral self with hackers. You want to learn about, you know, let's say it, automation start trying to get out there. We have more now than we had at any time in our lives before. We have everything from Twitter to LinkedIn learning and you know, on LinkedIn and different things, you can connect with your trainers. I mean, 20 years ago, I used to read a book. There was no way I was ever going to know that book writer. Nowadays, you go on LinkedIn, you reach out to the book writer. He responds. Hey, thanks for the feedback. Next thing you know, you made a new connection, that connection will help you grow.
And it's all about growth. If there is no right or wrong, I'm always looking for new things and I'm always trying to explore new avenues and trying to continue to learn. I mean, even to this day, I mean, I've been in the industry 15 plus years and I'm continuing to learn.
And what I knew 10 years or 15 years ago has completely changed. Yes, the principles are there, but it's becoming a blur over time. So you, you want to continue to learn and don't, don't sit back and go I know all of that. No, you don't, because everything changes.
Just continue to push yourself forward. That's the biggest thing there. And as you continue to put yourself forward, you're going to notice that things start falling into place. And, unfortunately, you know, there is no run road, that you weren't going to get there.
This is that high school, right? It's not like you're going to get four years graduate. You're done. This is different. You might make a left and left might not work. You might make a right. It might not work. And then you just go straight up the middle and bam you're there. So you just want to follow your path, make, make yourself who you want to be.
And that's where I leave it. I say that you have to follow all of your heart, follow your dreams, follow what you want.

F: Brian, this has been a great discussion. Thanks for being with us today.

B: Hey, been a pleasure, Fred. Thank you.

F: I enjoyed this episode of podcast. Please take a moment to rate, review and subscribe on your preferred podcast listening platform. We really appreciate that effort until next time.

Welcome to Ivy Podcast! On this Executive Leadership Podcast we interview top executives from Fortune 500 with a focus on strategy, innovation, negotiation and everything about leadership.
Our Podcast for Executives features Thought Leaders who share practical insights for effective leadership, continuous innovation and strategy execution.
Ivy Podcast is a rapidly growing Executive Podcast, which covers topics like Hiring and Retention Strategies, Talent Acquisition, Innovation, Digital Transformation and much more.
On this Leadership Podcast, you will find conversations with the most accomplished executives from Fortune 100 companies. We aim to cover a broad range of industries and create a learning platform for the most ambitious and high potential professionals who are looking to learn from the most accomplished Executives on this Business Leadership Podcast.

Leave a Reply

Your email address will not be published. Required fields are marked *

Popular Episodes:

Browse by Host:

Listen by Category:

Venture Capital (53)
Executive Leadership (102)
Technology (87)
Talent Acquisition (116)
Entrepreneurship (39)
Women in Leadership (79)
Marketing (13)
Healthcare (21)
Growth Hacking (33)
Founder Stories (39)
PM (13)
Finance (12)
bonus new member
slot depo 10k slot deposit dana slot bet 100 perak depo 25 bonus 25 spaceman slot bonus new member slot gacor gampang menang