Wes Farris is the Director of Information Security and Enterprise Architecture at The Harris Center for Mental Health and IDD, in Houston, TX. Mr. Farris has extensive experience building and maintaining information security programs for healthcare institutions, designing security program technical architectures and operations, and leading information technology risk management and regulatory compliance programs. Wes received his B.S.O.E and M.A.M in Organizational Management from Wayland Baptist University in Plainview, TX, and is a Certified Information Systems Security Professional (CISSP).

In this interview, Wes Farris, Information Security Officer for the Harris Center for Mental Health and IDD, speaks with CyberTalk.org about his career, current projects, and business development initiatives. Discover how this solutions-focused security professional strives for a better tomorrow, and determine how to leverage his insights to improve your workflows.

Please tell us a bit about your journey into cyber security and how you became an ISO?

I started out as a desktop services technician in the early 2000s when HIPAA covered entities began building formal security and privacy programs. I worked my way up through network administration. The hospital I worked for at the time created an Information Security Officer position to build and facilitate a formal security program and I was blessed with that position and opportunity.

It was a tremendous opportunity and learning experience. I was able to design and manage every aspect of building and maintaining a holistic enterprise-level security program in a large healthcare organization.

Given your experience, what would you say are the essential skills for a modern ISO?

The most important ability is forward-thinking vision and being able to communicate that vision to your peers, executive leadership, and to the board, encompassing everything including obtaining the budget that you would leverage in order to design and implement a new program or make modifications to an existing program.

What are your top security priorities right now?

Everyone is hyper-focused on building a zero-trust security model, as are we. I believe in the zero-trust model. It is one of the most comprehensive models to come out in the past few years. We’re actively working on multiple zero-trust projects, and with that in-mind, we also want to continue empowering our customers, making existing workflows easier and making new workflows possible.

‘Work-from-anywhere’ is a reality for us, as it is for many companies now. Our employees, regardless of location, are leveraging local and cloud resources. Zero-trust and work-from-anywhere while leveraging cloud resources is our current path forward.

What kinds of unique security considerations have you had to work around?

Like most organizations, we had to facilitate a hard shift when COVID-19 started. Prior to COVID- 19, The Harris Center had a hybrid workforce. Some of us were on-site, while others of us were off-site. In response to COVID-19, we migrated our entire workforce to laptops and remote workflows.

We had to change the security stack in order to make that happen. We had to roll out new devices with Check Point Endpoint as part of our workflow expansion.

Supporting a diverse, work-from-anywhere workforce has been a huge consideration for us. We’re no longer simply supporting workstations and laptops. We’re supporting BYOD and agency devices of various types to facilitate telehealth and in-person workflows.

The number of devices and the number of platforms that we support has changed over the past few years. It’s been a hard push to implement and support all of that, but again, I would say, a tremendous opportunity to implement and secure all the new technology and workflows.

To support a remote and mobile workforce, we’ve leveraged many different environments; cloud, vendor-hosted, physical servers in our local data centers, and containerized environments to support our data science and clinical outcomes teams. And now, we’re getting into the platform-as-a-service space.

We are testing or using almost every type of new or existing environment that you can think of and creating and implementing the security stacks to protect those spaces, avoiding the retrofit security dilemma.

Harris County is striving for an integrated healthcare model. The Harris Center is leading the delivery of mental health and behavioral health care while supporting the integrated healthcare model by sharing data in a HIPAA compliant manner through connected EHRs.

The integrated healthcare model, and the sharing of data is a huge consideration in terms of how we approach moving forward with our IT environment, and in terms of what we do with our security stack.

What challenges do you have around finding security talent and what is your approach?

We have a hybrid model in place, combining employed information security analysts and an MDR services contract, where we’ve outsourced a portion of the security operations function. We’ve mitigated the talent acquisition problem by leveraging MDR services.

But even with that, I’ve seen challenges. MDR service providers and their customers face the same challenges. I can see a huge gap in security operations knowledge bases between what is in place and what is needed to be effective.

Talent acquisition for supporting newer environments, such as Cloud, Microsoft Office 365, and Azure has also been challenging. We have had to use contract resources to satisfy those needs as well.