Suppose a new regulation is coming. As a thought leader, you will not only have read that regulation but perhaps were even involved in its development. This unique position enables you to think about the impact the forthcoming regulation may have and consider what the industry is going to have to do in order to respond to it effectively. You can begin to communicate this to your clients long before it arrives and develop solutions so that you are ready to assist them in responding when the time comes. As early as 2003, I was talking about active privacy monitoring. We had network log monitoring so it was not such a stretch to visualize auditing user activity in applications for privacy. It was 2006 before we really saw privacy monitoring tools appear, but we had been talking about it for three years already. Several years later, when breaches began to grow in size due to hacking, it became clear that stopping large numbers of records from being exfiltrated was going to be a necessity. Research led us to Data Loss Prevention (DLP), which allows IT administrators to identify where sensitive information is within the information enterprise and put rules in place to restrict or prevent its removal, and we began talking about this new solution two years before healthcare began adopting DLP. Being a thought leader gives you the vision to see where solutions need to be developed or where solutions developed for one purpose can be repurposed to meet other forthcoming needs. Probably the innovation that had the most profound affect on our business was the development of our managed services model. Recognizing that the ability to have a real impact on the direction of a clients program or their ability to mitigate events relied on a true working knowledge of their business led us to create our collaborative partner model that focused on us knowing our clients well enough to be an effective extension of their IT and Security teams and not just another cyber security vendor.
I had the pleasure to interview Mac McMillan the CEO Emeritus of CynergisTek. Mac is considered a thought leader in security, privacy, and compliance issues in healthcare from his 40-year career as a healthcare and government expert. After successfully founding and leading CynergisTek to become the top-ranked information security and privacy consulting firm focused on the healthcare IT industry, he retired in August of 2019.
Thank you so much for doing this with us Mac! Our readers would love to “get to know you” a bit better. Can you share your “backstory” with us?
I grew up in a middle income family in a small town in northeast Texas with my father, a career Marine, my mother, a stay at home mom, and my two sisters. I was fortunate enough to receive a Naval Reserve Officers Training Corps (NROTC) scholarship to Texas A&M. I started my career in the Marines and completed 22 years in the DoD before transitioning to the private sector where I first spent three years in the health IT space. That three years allowed me to learn how the private sector acquire privacy and security services and to formulate what I believed was the model for the future. In 2004, I founded CynergisTek with my business partner with the vision of creating a very different cybersecurity company following a unique service model. That model was based on partnership and collaborative managed services taking virtually every task the CISO has to accomplish and turning it into a recurring service. Through a combination of timing and hard work, we were successful in realizing our vision of becoming the top privacy and cybersecurity company in healthcare. In 2017 CynergisTek was uplisted to the NYSE and became a Public company. Today, I focus my energies on encouraging more young people to get into the Cybersecurity profession through teaching and supporting programs that support this goal.
Can you briefly share with our readers why you are an authority about the topic of thought leadership?
At its essence, there are three key elements to being a thought leader. The first is to be willing to put in the effort to become an expert at something, understand it fully, and be able to apply it to any situation. The second is having a passion for sharing what you know and helping others understand and apply it. The third is creating your presence in a space through writing, teaching, speaking, etc. on the public stage and projecting a consistent message.
I believe privacy and security are critical to providing quality healthcare and protecting patients. For years, I have studied healthcare and how our health system relies on data and IT systems to accomplish its mission. I have applied what I know about protecting information and maintaining privacy to the healthcare industry. Lastly, I have taught others both directly and in the classroom, contributed to books on the subject, presented hundreds of lectures, written countless articles and given thousands of interviews over the last 41 years. I have learned, shared, and been a presence in that space, but ironically, that is not what I initially set out to do. My goal was to be the best expert I could be on the topic so that I could both educate and innovate.
Can you share the most interesting story that happened to you since you started your career?
A certain young Chief Information Security Officer (CISO) I knew had moved to a new health system and called me one day saying she was having trouble with a particular doctor who was insanely successful and generating large revenue numbers for the hospital. This doctor was complaining to anyone who would listen (all in the C-suite) that the IT and security departments were hampering his business. When she was done explaining, I asked one simple question, “have you gone and met with him personally and observed him in operation?” The answer was no. I advised her to get out of her office and ask if she could shadow him for a few days and then come back and tell me if she thought what he was saying had merit. She did just that, and she was amazed at what she learned. I then asked what she was going to do now. She replied saying that she was going to build a different set of controls that worked better for him and wouldn’t impede on what he was doing. Once she did this, he became her biggest supporter, and a very influential one. I have told that story countless times to young CISOs to get the point across that you cannot do your job from sitting behind a desk. It is a reminder that the point at which we become valuable to the organization is the point where we become enablers of the mission.
More often than not, we are engaged long after an organization has been up and running and are faced with many legacy issues that work against good security. Most hospitals were built pre-HIPAA and security and privacy were not priorities for those who were designing them. However, there have been a few occasions throughout the last 20 years where CynergisTek was engaged early on as new facilities were being designed. It is an amazing difference what simple design changes can make to facilitate security and privacy and indirectly make the clinical staffs’ work experience better. For instance, there was a hospital built out west in which the Chief Information Officer (CIO) engaged with us early in the process to provide ideas on privacy and security from construction, to lay out, orientation, access, etc. Another hospital built in the east wanted to be as paper-free as possible and took a new approach via nurses stations that increased access and collaboration without sacrificing security. We also supported the development of a clinic in the southwest from the ground up and designed security to be transparent to the patient and staff. These types of opportunities were always the most interesting because they gave us the chance to reduce risk by designing smarter workplaces, reinforcing that when security is engaged early, we end up with a better solution.
Can you share a story about the funniest mistake you made when you were first starting? Can you tell us what lesson you learned from that?
I cannot really recall a funny mistake, but I certainly made my share of mistakes along the way. The most important thing I learned from all those experiences is that in business, you will not be able to innovate if you are afraid of making mistakes or failing. In service to others, you have to own your mistakes, then honestly express remorse, and then make it right — and then pick yourself up and try again. No one expects you to be perfect, however they do expect you to be responsible and willing to make them whole. Whenever I hear a manager say, “Never apologize, just offer a solution,” I say to myself that this is someone clients or employees will never really trust.
Ok, thank you for that. Let’s now jump to the main focus of our interview. In a nutshell, how would you define what a ‘Thought Leader’ is. How is a thought leader different than a typical leader? How is a thought leader different than an influencer?
There are three main things that differentiate a thought leader from other types of leaders. First and foremost, they are passionate about sharing their ideas and knowledge on whatever subject they are an expert on. They do that through participation in industry groups, contributions to publications, and participation in conferences and events. Second, they have a passion for what they do and are constantly learning and educating themselves and others. Third, they focus on where the industry, the technology, etc. are going and are not afraid to proactively offer solutions or ideas for anticipating what the industry need will be, as opposed to being reactive. As a result, they are able to take what they know, apply it, and solve problems that need solutions. Thought leaders are not afraid to have opinions and share them in an effort to influence others, who then influence others to eventually make real change. At their core, thought leaders are not afraid to be change agents.
Can you talk to our readers a bit about the benefits of becoming a thought leader. Why do you think it is worthwhile to invest resources and energy into this?
Becoming a thought leader ensures you will be on the cutting edge of what is happening in your selected field of focus, industry, market or technology. It allows you to see where your organization needs to go in anticipation of where the market will go as a result of some new influence. Being a thought leader also means being a trusted partner and advisor to your clients so that you can help them solve not only the problems of today, but the challenges of tomorrow.
Let’s talk about business opportunities specifically. Can you share a few examples of how thought leadership can help a business grow or create lucrative opportunities?
Suppose a new regulation is coming. As a thought leader, you will not only have read that regulation but perhaps were even involved in its development. This unique position enables you to think about the impact the forthcoming regulation may have and consider what the industry is going to have to do in order to respond to it effectively. You can begin to communicate this to your clients long before it arrives and develop solutions so that you are ready to assist them in responding when the time comes.
As early as 2003, I was talking about active privacy monitoring. We had network log monitoring so it was not such a stretch to visualize auditing user activity in applications for privacy. It was 2006 before we really saw privacy monitoring tools appear, but we had been talking about it for three years already. Several years later, when breaches began to grow in size due to hacking, it became clear that stopping large numbers of records from being exfiltrated was going to be a necessity. Research led us to Data Loss Prevention (DLP), which allows IT administrators to identify where sensitive information is within the information enterprise and put rules in place to restrict or prevent its removal, and we began talking about this new solution two years before healthcare began adopting DLP. Being a thought leader gives you the vision to see where solutions need to be developed or where solutions developed for one purpose can be repurposed to meet other forthcoming needs. Probably the innovation that had the most profound affect on our business was the development of our managed services model. Recognizing that the ability to have a real impact on the direction of a clients program or their ability to mitigate events relied on a true working knowledge of their business led us to create our collaborative partner model that focused on us knowing our clients well enough to be an effective extension of their IT and Security teams and not just another cyber security vendor.
Ok. Now that we have that behind us, we’d love to hear your thoughts about how to eventually become a thought leader. Can you share 5 strategies that a person should implement to become known as a thought leader in their industry. Please tell us a story or example (ideally from your own experience) for each.
- Learn, learn, learn. Never stop adding to your knowledge base. You cannot be a thought leader without first being an expert in your field.
- Understand. Know the industry you serve, what is important to it, its challenges, and drivers. Learn where it is heading and what the future vision is for that industry.
- Write. Do it often and in as many different venues as you can. Do not just write in your profession, write in the periodicals of the industry you support, and the industries that support them.
- Speak. Get up in front of audiences and share your knowledge and your ideas, and demonstrate your knowledge of the industry you represent and the ones you support.
- Educate. Thought leaders don’t horde knowledge, they share it and seek to improve the field in its entirety. Talk about the challenges, ideas for solving, theories, etc.
In your opinion, who is an example of someone who has that has done a fantastic job as a thought leader? Which specific things have impressed you about that person? What lessons can we learn from this person’s approach.
One leader I really like that may surprise many reading this is Ron Finley, who has encouraged many to plant gardens in parts of Los Angeles that many folks would not even traverse. He is making a big difference. I grew up in a family of farmers and my grandfather was the last real farmer in the family. I spent many summers working with him on his farm and learned what I consider some of my most valuable lessons and skills. My passion, aside from running CynergisTek, is landscaping and gardening. Finley is influencing entire neighborhoods to take back control of their diets and by replacing junk food with wholesome vegetables and fruits. He is teaching people how to grow food instead of just being reliant on the system to provide it. He is spreading the message that real fresh vegetables and fruits are better for us than processed fast foods. Now gardens for community benefit are springing up in vacant lots and along medians, because one man saw a community need and a problem, visualized the solution and then built the platform to support it. We founded CynergisTek in 2004 to be the best privacy and cybersecurity company in healthcare and we built it as a platform to support our industry. Today we use that platform to promote education in privacy and cybersecurity at all levels from K-12, Universities and professional education programs.
I have seen some discussion that the term “thought leader” is trite, overused, and should be avoided. What is your feeling about this?
I think that is because it has become a marketing buzz word, unfortunately. There is no doubt that marketing and PR has a role in developing an industry thought leader image. Unless the person or platform being promoted is a true thought leader, has a deep expertise that allows them to see and anticipate what is next, is a true educator and openly shares their expertise, knowledge, and opinions with others, no amount of marketing or PR is going to make it happen. A real thought leader does not need marketing or PR to have a message — when you speak to an insightful leader, it should be apparent. However, a real thought leader with a great marketing and PR platform to support them can have a huge impact. I was very fortunate in this regard and had a outstanding PR firm that became a fantastic collaborative partner to what we were doing.
What advice would you give to other leaders to thrive and avoid burnout?
Love what you do. It is amazing how much energy you can muster when doing something you truly believe in. Find a great assistant who can help manage your schedule. Develop a relationship with a solid PR firm in the industry you focus on and then manage them. Organize your time and make sure that you pay attention to your own need to learn and maintain your expertise and industry knowledge. Last but not least, have that one thing you really enjoy to step away to from time to time. For me, that is working outside in dirt with plants. Every time I look outside and see what I have created and how it is growing, I get recharged.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂
Wow, that is a huge ask. I have to tell you that I think Finley has the right idea, just not big enough. I think people that know how to grow their own food and make better choices in what they eat could have a huge impact on our future. If expanded, Finley’s program could make an even bigger difference. The problem is that many people have never even seen where the food they eat comes from or have been educated about making better choices. There is nothing cooler than seeing the Saturday Farmers Markets spring up in towns, or the farm to table restaurants where people rave over the food they experience.
Can you please give us your favorite “Life Lesson Quote”? Can you share how that was relevant to you in your life
I will give you one my grandfather gave me and I have repeated many times in my life and career: “Bloom where you are planted, life doesn’t always give you what you want, sometimes it gives you what you need.” That was incredibly true for me as I moved through my 41 year career. There were multiple occasions where I did not get what I had wanted or hoped for, and if I had taken an attitude and not done my best, I would have missed out on some amazing opportunities that made a huge difference in where I am today.
As a Marine, I missed out on doing something. I wanted only to end up with a Command opportunity. When I transitioned from the military, I wanted to go into law enforcement, but there was a hiring freeze enacted two months before I transitioned and a colleague told me to take a job in security, three short years later, I was the youngest Director of Security for a DoD Agency which began my journey in cybersecurity. There were many other times where fate or someone sent me in a different direction than I might have chosen, but it turned out to be the right direction.
Do a good job and you will get another opportunity, repeat that and you will continue to get opportunities. People who deliver results tend to be rewarded.
We are blessed that very prominent leaders in business and entertainment read this column. Is there a person in the world with whom you would like to have a lunch or breakfast with? He or she might just see this, especially if we tag them. 🙂