CISO Randall Frietzsche On Maximizing Resources, Reducing Overhead

Dan Gunderman

Randall Frietzsche

Randall Frietzsche, who began his career in law enforcement in the late 1980s and worked his way into the IT industry, is a technologist with quite the repertoire – in fact he has 26 technical certifications to show for it.

With a master’s degree in Information Security and Assurance, Frietzsche has worked in IT for 20 years. Fifteen of them have been dedicated to security (with 10 years in security in the healthcare domain). Despite the visible qualifications, Frietzsche says that the best part of being an enterprise security professional is the ability to work in a vertical he is passionate about.

In an interview with the Cyber Security Hub (, Frietzsche said that security “is a passion for me... I get to go in and do something I love to do.”

Frietzsche is currently the Chief Information Security Officer (CISO) and Privacy Officer at Denver Health, a Level 1 Trauma Center, teaching hospital and one of Colorado’s premier healthcare institutions. Frietzsche is also an instructor in Harvard’s risk management online short course. He teaches information security, ethical hacking, digital forensics and risk management.

One area Frietzsche has focused on during his time in the healthcare arena is third party risk management programs. Under his watch, enterprises have enhanced and matured their third party vendor programs, eliminating overhead and reducing administrative labor.

At a previous employer, one of the largest healthcare nonprofits in the nation, Frietzsche managed a wide range of third parties that the organization did business with and shared data with. It was his goal to come in and “take that program and bring it up to a high level of maturity,” Frietzsche said.

Frietzsche said that third party partnership is “something that’s been really increasing and accelerating in terms of how we do business today, certainly in healthcare.” This is especially true as enterprises in the space must be compliant with various federal and state regulations.

See Related: State Of The Union: Layer Security Or Prep For Legal Battles

Frietzsche said that in order to create a proper system, one must be able to strike up “important relationships” and discuss “high risks.” You must “do it in a way that doesn’t get in the way of business and their initiatives,” the CISO added.

He acknowledged that enterprises don’t have infinite resources, but executives must “maximize” the ones that are in play. For Frietzsche, that meant making the third party risk management system “as efficient” as possible.

The end result is a formal set of documents and action plans around mitigating threats. For large enterprises, though, there are typically various moving pieces (which varies, depending on the organization and the complexity).

In order to construct a proper system, Frietzsche said you “have to understand what the drivers are,” especially in a highly regulated environment.

Typically, in building the third party plans, the process involves questionnaires sent to vendors, which are then reviewed, plus calls with the vendor team or formal risk assessment reports. Once the risks are acknowledged, the security team drives corrective action plans around them. Then, deadlines are met and contracts are struck.

But for Frietzsche, who seeks to optimize and streamline the process, his goal became: eliminating any inefficiencies or duplications. He sought to implement a system that saw less time inputting data and more time actually analyzing risk.

“(I wanted to) turn that upside down – and spend a majority of the time doing actual analysis, to drive out risks and then mitigate,” Frietzsche said. This is a process that gets “proven out” through the maturation of a program.

See Related: Cyber Security Spending Is Going Up And Here's Why

Frietzsche suggested that one important trait when constructing these plans is, in fact, a soft skill: building relationships within the organization. He said those charged with the third party plans should make rounds, meet executives and build trust. This will ultimately allow for more changes if need be.

A second key: risk stratification. That is, clear identification of key risk indicators injected into the purchasing process. One must be aware, when sharing data with a vendor, if it’s sensitive, protected, regulated, hosted in a cloud-type solution, etc. Understanding this formatting allows these “builders” to “tier” various vendors.

Frietzsche said there is a three-tier system for these sellers, Tier 1 being “high-risk” and 3 being “low.”

Frietzsche added that once implemented, analysts assigned to particular initiatives track them through documentation and on the back-end to ensure that plans are firmly in place. Then, based on the “tier,” the enterprise will go back to the vendor after a period of time for regular maintenance and oversight.

Some other keys to success, according to Frietzsche, are: understanding your particular regulatory driver, understanding technical guidance and frameworks (such as the NIST cyber security maturity framework), and eliminating any unnecessary back and forth with paperwork by submitting and monitoring online templates.

“I was able to minimize the amount of data entry…and maximize the data available,” Frietzsche said.

“(So), maximize the resources that you have, minimize overhead and maximize the amount of time to dive into assessments,” he added.

You can connect with Randall Frietzsche on LinkedIn.

Sign up for the weekly Cyber Security Hub newsletter, here.