A contract clause can change your entire security roadmap overnight, and in healthcare the stakes are higher than most industries want to admit. We sit down with Brian Waltz, longtime healthcare technology leader and former CISO at Cardinal Health, to unpack how cyber risk becomes business risk the moment patient care, diagnostics, or critical operations get disrupted.
We start with Brian’s path from audit to executive security leadership and why an auditor’s skepticism can be a superpower when it’s paired with empathy and clear communication. From there, we dig into governance, risk, and compliance as more than a rearview mirror. Brian shares how he gets leaders to define what a “bad day” looks like, then ties technical threats to financial impact, operational impact, and regulatory exposure so decisions don’t stall in jargon.
Subscribe for more, share this with a security leader or business partner, and leave a review with your biggest takeaway.
On Spotify, Apple Podcasts, or Buzzsprout.
Or watch the whole recording here on our YouTube Channel!
Aaron Pritz (00:09)
Thanks for tuning in to Simplifying Cyber. I'm Aaron Pritz. And today we're happy to be here with Brian Waltz, most recently CISO at Cardinal Health. Welcome to the show, Brian. How are you doing today?
Cody Rivers (00:13)
I'm Cody Rivers.
Brian Waeltz (00:21)
Doing well, pleasure to be here. Appreciate you having me.
Aaron Pritz (00:24)
Awesome. Well, we like to start off every episode with just getting to know our guests. So we've met you before, but we want our guests to have the chance to meet you. So give us a little bit of an overview of the Brian Waltz story and specifically your journey to see so and into cyber. know when we first met, we shared some audit lineage in our history, but give us the quick and dirty.
Brian Waeltz (00:46)
Yeah, absolutely. Appreciate it. So I actually started my career in public accounting, working for ⁓ EY for the first six years of my career, kind of splitting time between financial and IT audit. And at that point in time, as typical consultant was doing tons of traveling and decided I wanted to get off the road and find something a little bit closer at home. So moved to Cardinal Health where I spent ⁓ probably 22 plus years in that organization, kind of starting in
IT audit, but quickly pivoted into IT after a couple of years there. And I think that was kind of the great thing was the opportunity to try different things and move into different areas of the business. so moved into a role that was ⁓ primarily focused on risk management, compliance, governance type roles. So kind of leading our SOX program office, building out some FDA capabilities and things like that. And did that for about
seven years and got to a point where I was just like, I'm tired of telling people what they're doing wrong. I actually want to go build something. And so it did kind of a career pivot for me. Probably spent the next seven to nine years in more traditional IT roles, deploying things like ServiceNow and ITIL capabilities across the organization, doing a stint through infrastructure, and then switched into a couple more business facing IT roles where I was an IT business partner, helping to build out IT enabled business strategy.
putting together business cases and then executing large projects to help the business move forward. And then probably about six years ago, got a call from our CISO at the time who I had worked for in a prior role. And she's like, hey, I'm creating a deputy CISO role. that something that you would be interested in? And I said, absolutely, would love to get back into security. kind of the security has been the bookends of my career so far, but have absolutely enjoyed my time in it.
Aaron Pritz (02:32)
that's great. And yeah, we both shared as when we first met that kind of early career audit background. And I know for me, it was it was formative to kind of understand internal controls and both the process side as well as the technical side ⁓ of controls. What what impact did audit have in kind of shaping you as a as a cyber leader and specifically as a as an IT practitioner as well?
Brian Waeltz (02:54)
Yeah,
well, think the first and foremost, right, like just being skeptical, right. And it's not that you're just like the negative Nancy, right. But I think you've got to have that view on everything is you kind of do your work, right, is understand like the what could go wrong. And I think that's very much the same way it is with security. Right. You're always looking for those holes that could be breached in your, you know, in your security posture. And it's kind of like Swiss layering layers of Swiss cheese on top of each other to make sure that you've got enough layers to close those holes and make sure that
that you're in good shape to protect the business.
Cody Rivers (03:29)
Yeah, awesome. Well, I have a question kind of going from the audit and like I think of like GRC as a kind of a resurging topic in a lot of cyber programs. I look at yourself with two decades of perspective at one of the world's largest companies you've seen GRC evolve. is GRC finally becoming the GPS that tells us where to spend our next dollar or are we still just using it as like a rearview mirror?
Brian Waeltz (03:54)
Yeah, I mean, I think it is about how you look forward on there, too. And I think ⁓ cyber has ⁓ a bigger seat at the table than we've ever had before, right? An opportunity to help influence the business. Right. And it's been interesting to kind of see, you know, nobody was really talking about cyber as a risk. Then it started to show up on enterprise risk management lists out there. But then when you start to dig into it and pull the layers back and ask the business, like, what are you most concerned about? They're like, I don't know. I read a lot about it.
in the newspapers and I see stuff on online and I know it's a risk to the business. Right. So that's when you really have to start to kind of peel those layers of the onion back and start to dig in and understand, well, are you concerned about operational disruption? Right. Are you concerned about data loss, et cetera? And so I think those have been very rich discussions to really help them understand how we view cyber risk and making sure that they understand is not just the CISO or the CIO that owns it. Right. Like it is a collaborative discussion.
and collaborative ownership around those risks, right? Because we may have a part in the remediation or the mitigation step that we put in place, but part of that could also be on the business as well with continuity plans or diversifying their supplier base and things like that. I do, while you can always learn from history, I do view it more as like, how do you move the business forward and manage that risk for them?
Aaron Pritz (05:16)
Yeah. So two decades in healthcare and I was on the pharmaceutical side, you're on the payer healthcare side for the two decades. ⁓ What for you, what makes human health and healthcare unique in cyber and why did you choose for two decades to focus on that sector?
Brian Waeltz (05:36)
I think for me, it's just more of a personal thing, right? Like the mission of healthcare, To help people get better is very personal to me. I always kind of put myself in that seat no matter what role I was in, right? And I think just even going back to my time in infrastructure, I led our enterprise database team, right? 7,000 plus databases. And nobody gives you lot of kudos when things go well, but when that thing goes down, right? Like you're hearing lots of noise about it. And I remember one time,
We had a pretty major outage on one of our key systems in our nuclear pharmacy business, and it ended up stopping ⁓ us getting prescriptions out to a particular hospital to run diagnostic tests. And so they ended up having to send some patients home who couldn't get those diagnostic tests. And so you kind of just step back and say, that could have been me, could have been one of my family members. And you just don't ever want that to happen again. Same thing with security. Clearly, you don't want to have any
disruptions or data loss in there that could negatively impact those patients and their families, right? And so you take that mission very personal. think that's what kept me at Cardinal as long as I was there.
Aaron Pritz (06:47)
That's awesome. Talk to me about translating risk into business language. And obviously ⁓ GRC, a lot of the art of it is in how you tell the story and communicate things to non-technical audiences. For you, ⁓ one, how did you form those skills as you were coming up in your career? two, do you have examples of where the way that you communicated something
made the difference of whether an initiative moved forward or it didn't.
Brian Waeltz (07:19)
Yeah, I think ⁓ it's difficult. Some of those conversations are very difficult, right? Trying to be able to translate a very technical topic ⁓ into something that they can really understand. But I think, as I mentioned before, just starting to ask the question around like, hey, help me understand what a bad day looks like for you. Is it your systems are down for a period of time? Is it, you know, a file with, you know, patient ⁓ information in it getting exfiltrated? Is that what?
is your most concerned about, right? And just helping them understand what are the regulatory and compliance risks associated with that. But then also like, what does that process look like? Right? Like if you were to have a major incident like that, you've got to spend some time to help them understand that and translate that risk into something that's more business oriented ⁓ numbers talk. Right. So making sure they understand like what is the financial and operational impact of that I think is usually beneficial to doing as well. ⁓ I think in terms of kind of
you know, maybe stories or instances of us having conversations with the business. One that kind of comes to mind from a GRC perspective was, you know, we had a business unit that was ⁓ getting close to signing a contract with a pretty major customer for them. And as they engaged the security team, and we were looking at some of the contractual language and ⁓ understood that the customer is requiring high trust compliance, right? Within a period of two years.
Now for anybody that's gone through that is a pretty lengthy and time consuming process to be able to do that. Not only understanding what the current state looks like, but then also remediation that you need to do going through the certification process. And so they were in a hurry to get this contract signed and we kind of just said, hey, time out. ⁓ One, this is a big deal. So you need to understand and recognize the investment that you need to make to satisfy this contractual requirement, but also recognize
that this customer is also one of our largest customers or the largest customer in another business unit of the organization. So whatever decision you make impacts those folks as well. And so while we were kind of operating at senior management level of that one particular organization, it got escalated all the way up to our CEO and CFO before we made that decision on whether we were going to invest the money and then move forward with the contract ⁓ as it was. And we ended up
doing that and got the support we needed to get that high trust certification in place. But again, it is really about making sure you've got collaboration across the business to surface those risks and make sure that you're making some educated decisions.
Aaron Pritz (09:52)
That's awesome. I love that you had that business area. You guys were at the table reviewing the contracts, calling that out early. We've had examples of clients and people with our networks that have, the businesses made a decision on a contract and they found out about it afterwards. And sometimes with a lag in the time period that they had given them to make it down that journey. So maybe give us a little bit more about the decision process that you probably had.
Cody Rivers (09:52)
Yeah.
Aaron Pritz (10:20)
high trust, it going to be for the entire company end to end? Is it specific to that business unit? Is it ⁓ only for that specific client? So how did you walk through its scope to get it to the right size to be both effective and scalable?
Brian Waeltz (10:35)
Yeah, I think as we kind of walk through that, ⁓ that request or that requirement wasn't coming up in any of our other contracts with that customer. So we kind of just made the decision early on, we were going to really just focus on certification for that one business unit. And then to your point, it was a matter of then talking through, what from a system impact, what are the applications we want to bring in scope for that too? And so we tried to take a minimalist approach to that to say, hey, what are the items that the customer cares about?
and the data they care about. And let's make sure that we use that as kind of the, you how we orient the scoping for that. So we, we ultimately determine that we could leverage that to our advantage, right? Like I think as we kind of made that determination of, you know, high trust certification, yes or no is like, Hey, this could be a market differentiator for us if we're kind of first to market with this. And so we can use that as we go out and, and try and win ⁓ additional business. that's kind of how we, we viewed it is like, you know, that would be available for any.
potential future client out there. But the one thing I would say, and you kind of brought it up, is like, you definitely don't want to get ⁓ notified of these situations after the contract's been signed. So like that collaboration across the business, across procurement and legal is extremely important. And I think ⁓ if nothing else, like you're looking out for each other's best interests to say, hey, you know, saw something coming down the pipe that's got some privacy concerns around, let me make sure I get our.
head of enterprise privacy engaged in this to at least understand, they know, are they aware of this particular contract and piece of business that we're trying to sign off on? And so I think that was extremely important for us ⁓ in that situation.
Cody Rivers (12:14)
And leaning into this high trust thing, I'm saying it's a yes, but we know high trust is the Iron Man of security certifications, but if a company for our listeners is just starting out that journey because a contract requires it, what's the one mistake they make in the first 90 days that cost them the most later from your experience?
Brian Waeltz (12:36)
I think scoping could be that, right? Because again, it's not only the kind of pre-assessment you need to do to understand like, are my controls good or bad? And where do I need to go? ⁓ you know, take some remediation steps, right? If you don't scope that right, you could be creating a bunch of work that doesn't add a ton of value to that certification or doesn't need to be part of it. Right. So I do think that's important. Part of it is taking your time to kind of lay, put a ring fence around what you're going to go and certify.
at least based on our experience.
Cody Rivers (13:08)
Yep. I think to kind of going into kind of changing here a little bit here, like the resilience for security mindset, you know, you've mentioned that cyber attacks and healthcare aren't just IT issues, they're patient safety issues. But when you're talking to the board about like cyber resiliency, how do you shift the conversation away from like preventing breaches to surviving them without losing the trust of the customer?
Brian Waeltz (13:34)
Well, think honestly, like we spent a lot of time with our sales team too, as they were engaging with customers on some of the stuff. And it even got to the point where we participated in like some of their resiliency exercises as well to kind of talk about like, hey, if we were down, like what would you guys do and vice versa? Like how would we partner together? So I think that's an important part of it as well. But in terms of like talking to the board and the executive leadership team around that.
⁓ one of the things that I'd done like early in my tenure as CISO there is we had brought in a external speaker into our board and the message he kind of delivered to them was like, it's not a matter of if, but when a cyber event happens, like you can't expect Brian and the CIO at the time to prevent every single incident out there. Right. So it's about how do you, how quickly do you understand what's going on and, and, and stop the attack.
but then obviously recover if some of your systems are impacted. And so I think it was good orientation for the board to understand that. And then I think you've got to put some programs in place to help measure the maturity of your ⁓ resiliency program out there. so kind of within the scope of my remit, I owned all of the disaster recovery planning and things like that and crisis management. And so a lot of what that team did was,
working with the business to understand like, what are the critical systems? And I think that's probably the most important thing is to understand like everything isn't created equal, right? Cause if everything's a priority in that situation, nothing's a priority. And so we really had to spend a lot of time kind of going through the business impact assessment and understanding, you know, the critical processes for the system or for the businesses and then what systems support them and making sure we could weave that into the plan. And then from there,
Cody Rivers (15:05)
thing is.
Brian Waeltz (15:20)
It's about understanding what types of recovery plans do you have in place? How frequently are you testing them? Clearly something that's more critical. You want to test it more frequently and understand that you could go and execute in some kind of a disaster scenario. ⁓ And then, you know, making sure that you're scorecarding that and reporting that out to the business. And like one of the things that I thought was kind of genius from from my team was starting to look at it more from like ⁓ a letter grade.
Right. And so everybody understands what's an A, a B, a C, and a D, right? Like we've all been in school and so we understand that. And so they started to kind of put that lens on it ⁓ for our ⁓ internal leadership team to understand it too, and to really drive action because in, you know, in a more or a less mature organization or ⁓ program, you're probably doing a lot of heavy lifting for those teams, right? They don't understand how to write good DR plans and what all the components need to be. And so we did a lot of that hand holding for them.
And we did a lot of that, like fingers to keyboard as they were executing tests in their non-product environment. And we kind of got to the point where we said, hey, listen, if we have a major incident, it's all hands on deck. Like our team can't support thousands of applications being recovered. Right. And so you've got to understand your own plan. You've got to be able to execute it and you should be able to execute it in your production environment. And so we created kind of a formula to help measure.
each of those steps in the maturity journey around resiliency for those teams. And then we would scorecard it and put that in front of the leadership team on a quarterly basis. it's always interesting to see like, you know, it's a very competitive culture there. Like people don't like C and C's and D's associated with their name, right? So, so that tended to drive action for them and help improve the current state for those.
Aaron Pritz (17:06)
Yeah. So
what, what you're talking about, we see it lot of companies where the cyber team or, ⁓ risk management owns business continuity planning. And what you hope that means is you own coordination, but the true business leaders that are going to need to run those functions when it is down in a major crisis or cyber attack or whatever. But there's still a lot of the central ownership where everyone's having it done for them. And it sounds like in your story, you knew that that wouldn't scale and you needed to both.
one, federate the ownership to the true leader that should be responsible, but then two, put a measurement system in place to gamify or give them some drive to not be that C. Is there any other kind of tips along the way to kind of when you transition from the former state to the future state, how did you get that ownership shift to happen?
Brian Waeltz (17:40)
Right.
Well, I think part of that is making a part of folks performance goals. And so we didn't necessarily describe like, hey, you've got to have an A for all your critical systems. But, you know, we kind of looked at it just overall, like a percentage maturity. And we kind of said, hey, you need to improve X percent over the course of this next fiscal year. And so we tried to drive it into performance goals, which obviously is tied to compensation and your year end performance review. And so that that tended to get the action that we needed in those.
particular scenarios.
Cody Rivers (18:34)
What about time? How about, let's see, wouldn't you had to be the bad guy? Let's say, you had a telebusiness not signed a contract because of X requirements were a bridge too far. Give us that. How did that go? I'm sure that wasn't a message we'll receive, but how do you kind of end that conversation when the answer is we shouldn't do this?
Brian Waeltz (18:54)
Yeah, I would say there are very few times that we've had to go there. And it's not easy, right? But I think, one, you've got to build trust with those folks in the business, too, so they understand, like, you are doing this in the best interests of the organization. It's going to create problems down the road if we go and enter into this agreement. And so we kind of just take a very factual view of, like, hey, we did a third party risk assessment and that we did have one vendor in particular that we kind of said, hey, this is a no go for us.
and so we kind just laid out and said, Hey, we, you we had X number of criteria, know, 20, let's say 20 criteria that we evaluated them on. They, you know, passed on 10 and they failed on 10. And these are, this is why these 10 matter for you. Right. And, know, based on the, maybe the HIPAA data that you're putting into this application, right. There's a high chance that there could be some kind of a breach at the, at the vendor. And obviously that has a major impact on, on us as a healthcare organization. So.
Again, it was just coming to the table with some data points to have that conversation with the business. And I think they understood and they were quite honestly, they were prepared with two or three other alternatives that work for them and they were able to move forward with it. So it wasn't like we stopped the project, but maybe it wasn't the exact vendor that they wanted.
Cody Rivers (20:09)
Sure, Well, great, great, excellent answer. So like very seasoned executive answer there. It's now like you get a phone call to Brian of 20 years ago, you know, just starting out his career, and kind of going. What's a couple of nuggets of advice you're giving yourself? You know, the, I didn't know now that I can tell you now, hey, here's some nuggets. So what's the Brian of now telling Brian of then?
Brian Waeltz (20:34)
is a great question. like, I think for me, you know, knowing I spent the first six years of my career in public accounting and then the first couple of Cardinal in audit ⁓ was like, be uncomfortable, right? Like push yourself outside of your comfort zone, right? Because ⁓ after I moved out of audit, I was still doing risk and compliance stuff, right? So I was still the auditor. I had my auditor hat on trying to find problems and, you know, get people to care about it and go do something.
⁓ and it wasn't until I made that transition into more, the more traditional IT roles that I felt like I really started growing, ⁓ as a leader. And it was because I was being put in situations where I wasn't the expert and I had to rely on a lot of other really smart people to do their jobs, to make the team successful. And so, like, I'll never forget when I was, ⁓ approached about the database role there and I had a conversation with my VP at the time and I was like,
dude, the last time I looked at a database, I was in college, right? So I have no idea how to manage people who've been doing this for 20 plus years. And, you know, what he told me was like, the issues, the challenges they have are more around lack of process, morale of the team and those kinds of things, which you're really strong at. so view it as a compliment to that team that you can help them get through that and get to a end state. And so, you know, I took that as a challenge.
Cody Rivers (21:35)
You
Brian Waeltz (22:01)
But then I also had to kind of just roll up my sleeves and spend a lot of time on phone calls at night, you know, where we were having outages to understand their world, right? And to be able to not know it, but know how to ask the right questions and maybe challenge them to think differently. And so ⁓ I probably grew more in that three years and like it was a long time to be in that role as a meat grinder, but I probably learned more about myself and my leadership capabilities doing that than if I had just stuck in that
that audit type role for three more years. I don't know that I would have necessarily been on the same trajectory from a career perspective.
Aaron Pritz (22:38)
Yeah. There's a lot of debate in the industry of like, and it's usually technical leaders debating that a CISO must be, you know, have worked in a sock and reverse engineered, re-engineered malware. And then there's another faction that would be like, that's been the model for decades, like business, you know, we need people that can talk in boardrooms. And obviously the answer is somewhere in the middle, but given your experience and kind of what you've seen work, work well, what
Cody Rivers (22:38)
say growth begins where comfort ends.
Aaron Pritz (23:05)
what is that right balance? And kind of similar to your reason why I thought to ask this question, like your leader for the database team was like, we're not looking for a 20 year database leader. We're looking for someone that can lead teams and help to have the right conversations to get barriers reduced.
Brian Waeltz (23:14)
Yeah.
Yeah. Yeah. I mean, it's a great question. You know, think ⁓ part of like what I tried to do is just establish trust with those people too. Right. I think that's an important part of ⁓ going into those kinds of situations is making sure you establish trust, to understand you've got their best interests at heart. You're going to listen, you're going to learn, you're going to try and understand ⁓ the challenges that they have on a daily basis. And I think about like when I went into
the deputy CSO role that was, I would say more operational. So again, I may not have had the experience as a leader of a security operations center or some of the application security or whatever. Like I had managed teams that they worked with on a daily basis, right? Like clearly one of the key teams that we worked with or we work with in security is infrastructure. ⁓ Application security teams are working with the app teams to make sure they're writing better, more secure code, right? And so I had...
led those teams and understand how to work with them and maybe what types of messages would help resonate with them. Right. So I think it's it's really just trying to make sure your team understands like, hey, here's what I bring to the table that I can help you to be successful in here. It's not necessarily to your point that I know how to reverse engineer malware. We've got lots of really smart people that do that do that. But it's helping to understand, like, what does that mean for the business if something bad happens or if malware gets loaded on a laptop? Like, what does that mean?
What are we going to expect them to do in those particular situations? And I think maybe that's what I learned having spent time in those traditional IT roles is I've been on the other side of the table from those or helped with an incident investigation and could translate what's the impact of the business or be there to have that conversation with the business of, we've got a problem. Here's what we need to do to go resolve this. And so again, you've got to build that trust ahead of time.
So that makes those decisions and those conversations a little bit easier. Hopefully that answered your question there.
Aaron Pritz (25:22)
That's awesome. One last question before we go. We'll make it a fun one. What is one thing that most people, maybe they didn't even work with you, don't know about you, that you want to unveil? I didn't prep you for this question, but what's that one fun fact ⁓ or surprising thing?
Brian Waeltz (25:40)
Oh my gosh, one surprising thing. I'm, boring, man. I got everybody asked me that question.
Cody Rivers (25:47)
Could be like you can
juggle man. You know, who knows? Think of that wild talent.
Brian Waeltz (25:50)
Yeah, I don't have I can't
can't juggle. Unfortunately, like I'm a Cleveland sports fan. So that's not fun. Like that's, that's pretty much misery. 365 days a year. So I don't know that I've gotten this. yeah. I, and that's what I Yeah, that's what my wife says all the time. Like, hey, why did you raise your kids to be Cleveland sports fans? Look at how miserable you are. I was like, to your point, it helps you build resiliency, like you learn how to deal with disappointment, there's lots of good life lessons to be learned.
Cody Rivers (26:00)
You're a committed Cleveland fan.
Aaron Pritz (26:01)
You built resilience over the years, it sounds like.
Brian Waeltz (26:17)
⁓ rooting for those types of sports teams. ⁓ yeah, like the golf, travel, all those kinds of fun things.
Cody Rivers (26:24)
Favorite
vacation or favorite travel location.
Brian Waeltz (26:28)
Oh gosh, well we did a big family vacation to Europe last year to celebrate our son's high school graduation and a couple other milestones we had in the family. it was the whole Clark Griswold vacation with the five page itinerary. And so we hit it all. Pretty much the same cities they were in too.
Cody Rivers (26:46)
There you go. That's awesome. That's
awesome.
Aaron Pritz (26:52)
Very cool. Well, awesome. Thanks, Brian, for coming on
the show today. It's been great to get to know you a little bit better. And hopefully we talked about some topics that revealed some answers and options for people that are facing some similar challenge to the high trust or compliance level thing or trying to get business ownership from their resiliency program or BCP program. Appreciate you coming on.
Brian Waeltz (27:14)
Yeah, I appreciate it. Thanks for having me.
Cody Rivers (27:15)
Thanks, Brian.