This week on Simplifying Cyber, Aaron Pritz and Cody Rivers sit down with Nick Sturgeon — CISO at Community Health Network, Speedway Town Councilor, and current Ph.D. candidate at Purdue University — for a conversation about the challenges of securing systems that no longer stay within four walls. When healthcare happens almost everywhere, how do you keep patients, caregivers, and data secure?
Nick shares how his IT background landed him a role in law enforcement, he walks through some of the unique challenges cybersecurity practitioners face in healthcaretoday, then touches on what politics taught him about understanding people's motivations in the workplace.
On Spotify, Apple Podcasts, or Buzzsprout.
Or watch the whole recording here on our YouTube Channel!
Aaron Pritz (00:25)
All right, here we go. Thanks for tuning in to Simplifying Cyber. I'm Aaron Pritz. And today we're here with Nick Sturgeon, who's the Chief Information Security Officer of the Community Health Network based in Indianapolis, but covering a lot of Indiana. Nick, welcome to the show. Nice to talk to you.
Cody Rivers (00:31)
and I'm Cody Rivers.
Nick Sturgeon (00:43)
Thanks.
Yeah. Thanks for having me. I'm excited to be here.
Aaron Pritz (00:46)
Awesome. And noting that you are hailing from a podcast studio of your own. I think you are a prior or current podcaster yourself. Is that correct?
Nick Sturgeon (00:55)
Yeah, the podcast I have is on hiatus while I'm finishing up my PhD. So not a lot of time. And as you guys know, there's a lot of time and effort that goes into doing a podcast. isn't just doing this. It's the pre-game stuff. It's the post editing and all of that stuff takes time and being a host of one and all that stuff falls on me. so don't have the times.
Cody Rivers (01:11)
Yeah.
Aaron Pritz (01:18)
Yeah,
PhD, fairly new CSO role, and then also town councilman. So maybe let's use that as the segue to get right into the who is Nick Sturgeon conversation. Give us a little bit of your story, maybe starting kind of how did you come up in cyber? And then obviously some of the things that you're into now.
Nick Sturgeon (01:22)
Yeah.
Yeah.
Yeah. So I've always been in technology. had my, um, bachelors of science and MIS from Indiana state back in 03 got into actually law enforcement early on, um, moved out West to Las Vegas for about a year. It came back some personal reasons for having that move back in 2006, got into law enforcement. I was part of the 67th recruit academy for the Indiana state police. Um,
Actually, it was my IT and tech background that really helped kind of separate me out from, you know, the other 6,000 plus people that applied for the 150 spots that were open.
Cody Rivers (02:18)
Nice.
Aaron Pritz (02:18)
So run magic
server credentials. That was the topper there.
Nick Sturgeon (02:22)
Yeah, I really do think it was IT piece that pushed me over and kind of, you it had that differentiation between all the other folks that were, you know, criminal justice majors. So, yeah, I got in the Academy in 07, early 07, January 26 to be exact. I'll never forget that day. And the six months of
Cody Rivers (02:37)
guys.
Yeah.
Nick Sturgeon (02:50)
the academy, which were fun, but I always knew I wanted to be in, in course now cyber security wasn't really a thing back when I was in undergrad. was, know, cyber crime was a thing, information security, but I always knew I wanted to blend law enforcement and my IT background and was able to get in and do that early on in my career. I got promoted to Sergeant.
in our IT section. So really got to immerse myself in both the IT side supporting an enterprise network of applications and got into actually supporting the ISP cyber crimes unit being their tech support, but also getting digital forensics, cyber forensics training. And that led me to Purdue to get my masters in cyber forensics. And then, you know, from there,
Cody Rivers (03:39)
Now we're talking.
Nick Sturgeon (03:42)
The opportunities with my career in the private sector opened up and actually did a little stand at the Indian Office of Technology running two statewide cyber programs for a couple of years and then on into the private sector after that. And then, I was at EY for a little bit, got the consulting piece, I was at Pondurance. I managed their security operations center for a little bit. then prior to here,
How I got into healthcare was I worked for IU Health for about a little over four and a half years. And then the opportunity at community opened up and it's not often here in central Indiana, a CISO role in healthcare opens up. So it's one of those things. It's like, if I don't do it now, who knows when it's going to happen again. And obviously got the job and been at community for just over two years now.
Aaron Pritz (04:36)
Love it. So being in healthcare for a while and obviously navigating through Change Health, which I think opened the eyes further of a lot of health plans and healthcare organizations on the importance of business continuity and downtime procedures, but kind of what's been your eye-opener?
Nick Sturgeon (04:55)
Yeah, that happened
basically two months into me as a new CISO. So imagine coming in as a brand new CISO and here's change healthcare. Wow. Boom. Cross. Yeah. Here you go. Nothing like, you know, know, trial by fire, right? ⁓
Cody Rivers (05:06)
Wake up. Yeah. Welcome to the team.
It's like, don't you
miss that Nigerian prince from like 15 years ago and you're just trying to get his wealth out of the country and he's evolved.
Nick Sturgeon (05:17)
⁓ yeah!
Yeah. Or the going way back, the Mariah love bug, know, since it is, you know, day before Valentine's day, you know, that, yeah, those that's old school.
Cody Rivers (05:28)
There you go, that's right.
Aaron Pritz (05:32)
You better knock on some wood. AI just heard you and they're going to spin up the love bug 2026. You don't want that. Knock on some wood there, buddy.
Nick Sturgeon (05:38)
Yeah. Yeah.
Cody Rivers (05:40)
Nick's
ready, man, Nick's ready.
Aaron Pritz (05:44)
Well, think, give us a little bit more insights on, you know, being part of healthcare, human health, maybe what's different from some of your peers and kind of the focus maybe that are in other industries, manufacturing. What is it about human health that's kept you there for, you know, six plus years? And then maybe what's different based upon the focus or the tactics that you're using versus other industries?
Nick Sturgeon (06:07)
Yeah, great question. You know, as I mentioned, I bounced a little bit after leaving law enforcement, that public service side of me that, you we call it, you get the bug or, you know, it's in your blood to go into public service. And really healthcare is probably the closest to that mission of law enforcement of service and protection. You know, really the way that I look at it and I've looked at it since
you know, I first got into healthcare is if we don't do our jobs and our systems are not secure, lives are at stake. And that's really the, that drives me and my mission and that, that, you know, purpose of what I do and I, know, to my teams, it's like, you know, if we fell, people could get hurt.
Aaron Pritz (06:56)
Makes sense.
Cody Rivers (06:56)
Yeah,
well, I kind of want talk about this, like, you know, identity crisis of like modern security. No, you had the same thought too, but you often mention, you know, that the perimeter is no longer just the hospital walls and it's kind of wherever the patient or the employee is. And we've mentioned before how OCM or organizational change management is that that bridge that helps people accept this new, you know, more intrusive reality. ⁓ when we, you know, how do you use OCM to change the narrative, you know, from like
Nick Sturgeon (07:20)
Yeah.
Cody Rivers (07:25)
IT is watching me to, are guarding this mission together.
Nick Sturgeon (07:29)
Yeah, know, COVID really just exploded the perimeter of not just healthcare, but all enterprise systems. It isn't just the four walls of the building anymore. It is, you know, you've got your device and everybody's got, or most everybody has their email, corporate email hooked up to their personal devices. You're at home working on personal devices. You got patients that are coming in and out of networks and especially with, I think the challenging
part with healthcare is we've got medical devices in patients homes now. Home health has been a huge thing. It's exploded since COVID because of COVID. And so now, you know, there is really no true perimeter. It is really expanded to every patient's home, every employee's home. And so that makes it challenging to defend
The concept of, I only have to worry about these four walls is no longer. And now as CISO and security teams, you've got to think about how do we defend against this and which the tools and the technologies change to be able to do that. security by the way that we do, we're a friction point for business. It makes things harder.
Cody Rivers (08:46)
Yeah.
Nick Sturgeon (08:47)
passwords, multi-factor authentication, all these other things interrupt those business flows that typically I'm just going to get it done. And, no, I got to log in and I've got to type a password in or hit a hardware token or whatever the case be, that takes time. And in healthcare, I kid you not, and I've said this in open forums before, is nurses especially will count.
Well, if I have to enter two more keys on a, you know, go from eight to 10 or 10 to 15, that is going to be five seconds of additional time. And if I've got to enter in my password every 30 minutes, every hour, they will calculate the time over a week, over a month and a year of how disruptive those changes are to patient care. And so,
Cody Rivers (09:20)
Yeah.
Nick Sturgeon (09:38)
if you're in manufacturing or if you're in just a normal business, okay, so what? But when it's actually, if there's an emergency, somebody comes in the ED or somebody's in ICU and that impacts patient care. So when we talk about OCM, it's like, we've got to think about how is this going to really impact patients and the delivery of healthcare?
Cody Rivers (09:54)
Thank you.
Nick Sturgeon (10:02)
in either the ambulatory or acute settings.
Cody Rivers (10:05)
Yeah. Well, and I think too, kind of like, you know, you mentioned earlier in your famous, you know, ISP or police background, you had a badge in a uniform to kind of signal authority. You know, I think now as a CISO, you don't. So it's how do you exert that influence and drive change across the organization where you can't just give a citation for bad cyber hygiene?
Nick Sturgeon (10:24)
Yeah. And I think that's even in the leadership too. You know, when I, when I was a Sergeant and I had people, you know, chain of command, I'm your boss, you're going to follow my orders. And, you know, in the civilian sector, you don't have the same, yeah, I may be your boss, I could write you up, but now I got to get HR involved and get all these. So that, that how you lead is different. How you influence people is different, definitely different. And I think where.
I have found that has been successful is connecting to patient care. It's like, and say, we're in the same thing. We want to make sure you're able to provide that patient care safely. And it's no different than, know, every year we've got to do all the infectious disease, you know, trainings and all of that. It's no different there. You know, it's just digital versus physical. And so having that conversation and relating what we're trying to do.
to what matters to our, what we call caregivers, our employees, that helps. Now, you know, it's 80-20 rule kind of generally, you know, most people get it and then you're just gonna have that certain population that doesn't wanna do it. But okay, we can work through that. But I think really trying to relate what we're doing to the mission of, you know, our health system, I think is kind of how that first step of
getting folks to get on board and adopt these, you whatever new security role or change or policy that we try to implement.
Aaron Pritz (11:56)
No, that's great. Yeah. And Nick, for similar reasons, reveal risk. You know, I spent a lot of my career in pharma, but we've heavily aligned to human health, whether that be pharma, life sciences, biopharma, health care, and then also, you know, payer insurance, which has many challenges, not only from a cyber standpoint, but just kind of the, how how patient care is being funded and all of that. So we've been thankful and excited, motivated by having a
Cody Rivers (11:56)
Yeah.
Nick Sturgeon (12:19)
Mm-hmm.
Aaron Pritz (12:24)
a huge part of our practice be focused on that. I want to go back to a comment on perimeter. And you were talking about remote work and COVID. obviously, we've all adjusted from that. But it's still adjusting, I would say. There's never done because that perimeter is always changing. Maybe broaden in the question a little bit because I've seen kind of the new perimeter shift again with AI. And I'm curious your thoughts, especially within health care as you think about
e-health prescribing and telehealth, deepfake, two questions. One, what are your biggest risk concerns with AI? And then what are you most excited about within AI and healthcare?
Nick Sturgeon (13:05)
Yeah, I mean, there's so much and I think we're not even at the tip of the iceberg with the risk of AI in healthcare or in the industry in general or in life in general. But really it's okay for AI to work, it needs access to the data. given that HIPAA and even other state privacy laws are around the data, the breach of the data, it's okay. How do we
put controls and limit and have good governance on the vast amounts of data and it's stored in a number of different locations, but how do we effectively apply those controls and permissions and labels and just so that way that whatever model it may be that if it doesn't meet these certain policy criteria or
you know, conditions, then it doesn't get access to the data. You know, when we were first talking about turning on Copilot and community health as a network, we've been pretty head first into AI and not shy about using it, but you've got to do it cautiously. And it's like, okay, we've got to get data governance down because, you Copilot, it's got access to Teams and SharePoint.
email box and all that. Like if, if permissions aren't set correctly and you know, somebody has set something that's got PHI or PII or financial information to anybody in the network to see, then even if it is a, know, just it's doing what it's doing, it's a tool and that could potentially cause a breach because somebody, you know, the tool has got access and the data has been exposed to, you know, one or more individual.
Cody Rivers (14:26)
Yeah.
Nick Sturgeon (14:49)
that it shouldn't have been exposed to that PHI and we've got a data breach on our hands. ⁓
Aaron Pritz (14:54)
Yeah. Nick, have you
seen a resurgence of decades old topic of info class, data classification? You mentioned data governance. Did you hear Microsoft proclaim that, for your purview instance, you're going to need data classification to be able to tell us what you want in or out of Copilot?
Nick Sturgeon (15:02)
Yeah, I mean, we're working.
Yeah, in utilizing Purview as well as Varonis to help with that classification. mean, it's a machine. mean, yeah, it's a much smarter tool than maybe what we're used to. But if the metadata says, is PII or PHI, and we've got those rules that say you cannot be accessed except under these conditions, da da da da. If it's just open.
It's not gonna know, it's gonna say, okay, I'm gonna try to do what I need to do up here, know, whatever key terms in the prompt, you know, or, you know, the user's asking for, I'm gonna go out and do it. So while it's intelligent, it's still a tool and it isn't, you know, it's just gonna go do what it's been asked to do. you know, it could, to me, that's been my biggest worry.
that overexposure of data on steroids when it, yeah.
Aaron Pritz (16:08)
Yeah.
Before we move on, Nick, what's the thing you're most excited about just to counter the the con and the threats?
Nick Sturgeon (16:14)
Yeah.
So, you know, just the, it's not just the admin day-to-day stuff, efficiencies that you can get with AI. It's, know, just the opportunity in the healthcare sector with some moderation and inhuman intervention of just, know, diseases and cancers, potentially finding cures for those things that
because of just limitations in prior technologies that we may now have the ability to get cures or provide different healthcare outcomes because of all of the data coming together and finding those correlations or connections that because of data sets being disparate, now AI could help bridge those gaps and find some.
and just help treatments, know, in better treatments than maybe we've been able to get before AI was being used.
Cody Rivers (17:16)
I want to chat a few things too about like, you know, about the OCEAN and kind of process type things, but, you know, know some, some CISOs will see like process and OCEAN as a phase two activity or something to do after tech is deployed. I think you're a little more innovative in like, do you believe that it should be the first step in design of a security program or where do you see process and OCEAN fitting in that kind of phase of rolling out a tool?
Nick Sturgeon (17:39)
Yeah. And, and, you know, we were talking about this, um, of, of cameras, so to speak, um, beforehand is, you know, as, you know, my previous role is like, okay, here's the project, you know, implement the technology, get it done really in no fault to anybody. You know, I come into, to CISO and get my first big project, um, of security, uh, implementation, you know, new tool that we're, putting out there.
And the tech part was the easy side of things. It was, oh, how are we communicating this? know, how get that adoption? Cause we really were forcing adoption of this particular technology. And the friction point throughout was the OCS is, know, folks thought we were being intrusive or people didn't want to, you know, give up the information or.
you know, didn't want to download the app on their phone or, you know, whatever reason that they came up with. And, and, and again, just from lack of experience, we should, I should have put more focus on the change management and the adoption at the beginning of the process, how the effective communication and the why, and, you know, really, you know, even getting out to, you know, the workforce.
earlier to say, okay, this is, you know, how would this affect your job and disrupt those processes? Again, it's knowing the business, it's understanding that in nurses and physicians, other providers, they just want to be able to get to the patient and have that conversation and get the treatment plans and all that stuff as effectively and efficiently as possible. But those, security tools,
again, like I mentioned earlier, are disruptive to that, even if it's just a second. And so I think, you know, to really answer your question needs to be a part of the beginning stages of every project. And I think, and that's one thing I think community does very well. And again, part of me coming into the organization new to understand that and learn that. I would, and I,
fill that again as the role of CISO has changed from being highly technical to really being more of that understanding of the business. Still, you got to understand the tech. That'll never change. But the shift of tech to business acumen is definitely a higher percentage of the business acumen.
Cody Rivers (20:07)
Yeah.
Crazy.
Yeah, well,
I always think if you had to choose question, you could choose between a one million dollar Gartner Magic Quadrant top right tool with a zero percent OCM budget or a hundred K tool, maybe a challenger up and coming with a hundred percent org buy in. Which one keeps you sleeping better at night and why?
Nick Sturgeon (20:42)
I would say the
latter because one of the, we actually had this conversation recently here in the last couple of days is people will find ways around the security controls and tools. And I've said this for years. I want people to go through the security tools and controls that we have set up because I can monitor for it. I can alert on it and understand it. even though,
I've got my own feelings about Gartner, but I would rather something that's going to get 100 % adoption by the organization, even if it may not be the most tested or the most brand recognized tool. We can make the technology work, get it to work along the way, but at least we are getting the adoption of our workforce.
Cody Rivers (21:10)
You
I say a lot of times and.
Aaron Pritz (21:33)
Okay, Cody, I'm having
some FOMO. You got a great question game going on. So we're going to keep them coming out rapid fire for Nick. You mentioned business knowledge and understanding the organization. And I know you've had some experience with both sides of this. So I bet you have a good opinion or answer. You have a choice between filling a role. Let's say it's a GRC leader role or something kind of in the medium tech requirements bucket. Do you hire a practitioner?
a business person within the organization that has a high motivational fit and desire to learn cyber? Or do you hire the stereotypical infrastructure guy that knows the nuanced depth and you know they're going to be rock solid from a tech standpoint and teach them to learn the business of healthcare?
Nick Sturgeon (22:18)
Yeah, I think it depends on the specific role. And I've actually had to make this decision in previous roles is what do I want? The, again, if it's, if from an offensive security perspective, need a senior pen tester. I want the high end technical person for that type of role. If it's a GRC or maybe it's kind of mid level.
Cody Rivers (22:32)
your perspective on the different things you can see in your professor. And then you can make your experience. So that's the core center. And then the two other things you can do to work with your students. And then the three things you
do.
Nick Sturgeon (22:44)
I may choose the person that's got the fire and wants to learn. And my feeling has always been I can teach people technology, but there's those soft skills and certain things that people either have or don't. And if I need that, I guess if it really came down to it, give me a person who's highly motivated with zero skills. I can mold that person into what I want them to be and I can teach them the technology.
but it's really hard to somebody may be highly technical, but if they're not motivated to learn and get after it, they're not, I would much rather the former.
Aaron Pritz (23:21)
Yeah, no. And you failed just to ask me for a C, all of the above answer. But in the reality real world, all of the above is often not available. That's what we call a unicorn. I, my corporate experience as well, as well as have had had success on motivational fit winning and some really good hires from the business side that actually went on to, we've had one of them on our podcast, Chris Farr.
Nick Sturgeon (23:26)
Yeah. ⁓
Yeah.
Aaron Pritz (23:47)
that went on to build a career out of cyber after coming out of finance and Six Sigma. So yeah, it does depend, but totally agree with you. Motivational fit and desire usually trumps all.
Nick Sturgeon (23:58)
Yeah. And it's, you know, it, I do the, political answer of it depends, but I, one of the things I kind of get off on a little side tangent here is, you know, the, and I've experienced this as well coming up in a non-traditional cyber background is, well, you don't have this certain pedigree. And it's like, I, I, you wonder why we're in such a position of
a number of large number of jobs not being open when certain folks, everybody, but certain, well, you've got to have this pedigree. Well, we need new blood. It's going to take folks from different areas to come in and be able to that don't do the CS or the highly, you know, technical degrees and da, da, da, da. We need folks that come in from different areas and begin, as I said, the job.
some of the roles are changing, especially with GRC or kind of these IT audit type of roles, where we need folks that understand like technology, know how it incorporates into the business, but they don't have to be highly technical. didn't, at least starting out, but again, if they're motivated and they want to learn Python or SQL, some of the, whatever, give them the opportunity to upskill.
Cody Rivers (25:19)
All right, man, I'm gonna bring it home with some, or some kind of fun questions now. You know, I wanna kick off with one that's a new one. So even Aaron doesn't know this question, but what is one cybersecurity word you wish you could ban from the boardroom to make change management easier? Right now, man, I'm coming in hot.
Aaron Pritz (25:36)
That's a heater, Cody. That's a heater.
Nick Sturgeon (25:36)
geez. That's
actually, not so much a word, but maybe just a ⁓ thought is the CSI effect. You know, you know, cyber happens like that. Some of these things just don't, it takes time. and I've seen that in juries and other aspects where they watch the TV show and be like,
Cody Rivers (25:43)
Or a phrase, or a phrase.
Nick Sturgeon (26:00)
man, you can hack a cell phone in two seconds. No, you can't. Not really. Or you can, you pull this data in this record, you know, speed. it's like, nah, that's not really how it works in the real
Cody Rivers (26:11)
So I can watch.
Aaron Pritz (26:11)
My mind,
Cody, you didn't ask me, but I'm going to offer is eyes on glass. And that's probably more of the cyber leader saying that versus the business. But, you know, at this day and age, like, when are we not eyes on glass? And it's kind of a catch all for like, we're going to do it all. It's going to be fine. Like we get people with eyes on glass.
Cody Rivers (26:14)
What?
Nick Sturgeon (26:25)
Yeah.
Cody Rivers (26:30)
Also,
is it glass anymore? Are people still rocking CRTs or like the CRT monitors? it all like eyes on on OLED?
Aaron Pritz (26:35)
great point. It's actually invalid. So I'm
going to call the next person out that says IZONE Glass. ⁓
Nick Sturgeon (26:39)
Ha ha ha.
Cody Rivers (26:41)
Oh, man.
Well, cool. Nick, also, like to ask, you know, I see you're a seasoned leader in the area, you know, respected by a lot of people and doing a great job out here in the community and the NCCC community. you get you get to get a phone call. You give pick up the cell phone. You get to call the Nick of 20 years ago and give him a couple sentences or a couple, you know, blurbs of advice. What do you what do you call on yourself and telling yourself 20 years ago with some advice?
Nick Sturgeon (27:04)
Yeah, be patient. know, things happen when they will, when the time's right. You know, there's things, even career and trying to make that move. You know, want the right fit. You don't just want to rush at the first opportunity. So be patient. You know, I think that I struggle with that all the time, but to go back and say things will work out the way that's supposed to. There's lessons to be learned, you know, in
the situations that you're in and just absorb everything.
Aaron Pritz (27:35)
Awesome. Nick mentioned at the beginning, as we were talking about, well, my reflection of how do get it all done with councilmen, PhD, CISO, and probably kids and all your other hobbies that you probably have. what have you learned without getting into politics and all that? Like, what have you learned by being in politics and, you know, being a councilman within your township and how how that translates to politics that are in the workplace or?
specific departments and so on and so forth.
Nick Sturgeon (28:05)
Yeah,
well, we'll stay away from the, the, you know, the big P politics and all that stuff, but really it's about dealing with people, understanding people's motivations. Again, how do we get people to do things that we want to do without that threat of authority, you know, that, you know, the badge and the gun, you will, Cody, you brought up earlier, but it's interacting with people really.
Aaron Pritz (28:10)
Yeah.
Nick Sturgeon (28:30)
paying attention to understanding their motivations, their wants, what drives them to do things and really utilize that, you know, on the council side and the big P politics to bring it in and same things. They're just, it's politics of different flavors. and, know, so it's just, it's, there is some crossover there, the understanding and, you know, having to deal with getting yelled at as a council person because
folks don't feel like you did something right, you know, as a policy decision or you come in on the CISO side, well, why did you change this, you know, security policy and getting yelled at there? So it's just a little bit of similarities, but it's really.
Aaron Pritz (29:12)
Well, I can imagine you were
mentioning with the weather being negative 10 and water mains breaking and like across the state and you got to deal with complaints, probably same thing. Like are you blocking Claude co-pilot with full open access to everything on your PC and the network? Probably some similar conversations to say like, hey, we're trying to help. Here's what's reasonable.
Nick Sturgeon (29:27)
Yeah.
Yep. Yep.
Very much so. There lot of similarities there. Yeah, this security upgrade broke this and the business is screaming or, how dare you do this?
Cody Rivers (29:43)
How dare you?
I did one tour on my 1000 Change the World and enjoyed my HOA for a brief two seasons and realized that it's not how you change the world. So I resigned immediately. anyway, well, Nick, thank you again for the time today. We really appreciate it. It's been great hearing from you. And the tradition is we'll enjoy it as well too, but let you wrap us up.
Nick Sturgeon (29:55)
Yeah.
Aaron Pritz (30:05)
No, no, I think you already have Cody. Nick, really appreciate talking to you. As always, thanks for all your passion on human health, health care, general public services always, and keep fighting the good fight and we'll all win and save the world one person at a time together.
Nick Sturgeon (30:20)
Awesome, thanks for having me on guys.