For even the most dedicated employees, Friday afternoons can be a time to slow down. But for Joshua Roth, these periods call for extra vigilance. As the chief information security officer (CISO) at the Children’s Hospital of Orange County (CHOC), he knows cybersecurity attacks don’t subscribe to business hours.
“Some of the biggest threats are the ones that will pop up on a Friday afternoon,” he says. “And then it’s all-hands-on-deck to mitigate the risks.”
In his role, Roth assesses the overall maturity of CHOC’s information security systems. He ensures they have appropriate resources and processes for data protection, looks for potential gaps in the system, and locates areas of opportunity, including new technologies and new ways to monitor threat intelligence.
“The process always requires improvement,” he says. “And that’s a continuous activity to always be evaluating.”
In a landscape that changes daily, sometimes even hourly, it’s not a game of if a cyberattack happens but when. For this reason, Roth prioritizes having quality teams, vendors, tools, and response plans—he knows security is an essential part of patient care.
“Ransomware will literally take down an organization,” he says. “Whether it’s hospital operations that go down or the medical devices that provide patient care, all of those can be impacted by cybersecurity.”
Patient well-being sits at the top of Roth’s priority list. After many successful years at healthcare company Kaiser Permanente (KP), he decided to move to the nonprofit space.
“It come down to what I see as the mission of nonprofits,” he explains. “For CHOC it’s to nurture, advance, and protect the health and well-being of children. For KP, it is to provide high-quality, affordable healthcare services and to improve the health of members and the communities we serve. From my perspective, it’s not about shareholder profits; it’s about what you can do for the communities you serve.”
With his stepfather serving as a detective, and his mother as a nurse and emergency room director, Roth developed a worldview of public service from early childhood. He combines this with his passion for supporting children’s hospitals, which stems from the experiences of his children. His son is on the autism spectrum, and his stepdaughter has Down syndrome. Once a CHOC baby, she still receives care from her CHOC team, despite being over eighteen. Taking all of this in consideration, Roth considers working for CHOC “an honor.”
“It just speaks volumes for the type of organization that they are,” he says. “And that’s what I want to be a part of in doing my job.”
Meanwhile, what speaks volumes to Roth’s leadership is the way he retains team members. In his nearly ten years at Kaiser, none of his fourteen employees left. An unheard-of win in the industry.
“It really comes down to how you treat these individuals, building that trust with them, and being an advocate for their career aspirations,” he says.
Roth likely developed much of that trust during the biweekly one-on-ones he held with team members, a practice he continues at CHOC. The CISO believes it important that everyone sets their own agenda, as some dread the structured meeting. If an employee prefers to ditch the work talk and just chat about their weekend or family, Roth is all for it.
“It’s to build that rapport and mutual trust,” he says. “I’m just as accountable to them and their success as they are to me and the organization.”
Mutual trust, accountability, and inclusivity are key tenets for Roth. He wants everyone he works with, including his outside vendors, to know their relationship is not hierarchical but lateral and symbiotic—an especially important differentiation at a time when retention seems more critical than ever.
Roth has heard estimates tracking worldwide cybersecurity job openings at just over a million. Some call this the “Great Resignation,” but he thinks of it more as a “Great Reshuffle.” Rather than just quitting, people are seeking positions that better meet their talents and expectations.
He believes companies need to invest in their people and welcome all kinds of future cybersecurity professionals, confronting the situation with an open mind and willingness to mentor. Having hosted interns throughout his career, the CISO relishes the opportunity to guide prospective specialists. “Internships are some of the most fulfilling aspects of my work,” he says. “You get to work with someone fresh, teachable, and passionate.”
Roth also says companies cannot expect to only recruit candidates with four-year degrees or industry internships. “I think we need to do away with this traditional expectation and focus instead on people who might have certifications in the field or the passion, soft skills, and desire to learn,” he says. “Otherwise, we will not have the numbers we need.”
With such roles remaining empty, companies in every sector will struggle to maintain secure systems. Without such insurances in healthcare, patients and their information cannot be protected adequately any day of the week, perhaps especially on Friday afternoons.
“When you have resources spread thin, it’s a distraction,” Roth says. “We have to make sure that we can keep our eye on the target.”
Zero Trust principles are critical to the successful implementation of Secure Access Service Edge (SASE), which is the model for a cloud-centric, hybrid work architecture where data is protected everywhere it moves across cloud, SaaS, IaaS, private applications, web, e-mail, and endpoint devices. Netskope’s approach to SASE and Zero Trust data protection has seen rapid adoption by enterprise healthcare providers and service organizations all over the world, and has been repeatedly recognized by leading technology analysts.