State

Alabama CISO Ryan Allen resigns for hospital role

Allen, who joined the state government in November 2017, will become the top cybersecurity officer for the University of Alabama at Birmingham Health System.

By Benjamin Freed

December 17, 2019

Alabama state capitol building (Getty Images)

Alabama Chief Information Security Officer Ryan Allen resigned last Friday after a little more than two years with the state’s IT agency for a job as a vice president and top cybersecurity officer with the University of Alabama at Birmingham Health System, he confirmed to StateScoop Monday.

In a phone interview, Allen reflected on a few of his accomplishments as Alabama’s statewide CISO, but said his new job was too enticing to pass up — notably for eliminating the 90-mile commute that Allen, a Birmingham resident, made twice daily to the state capital of Montgomery.

Former Alabama CISO Ryan Allen (Alabama Office of Information Technology)

“After two-plus years it was time for other options,” he said.

Allen, who had worked before as an IT director for the UAB Health System, as well as the Children’s of Alabama pediatric hospital, was recruited to state government in late 2017 by Jim Purcell, then the state’s acting chief information officer. (Purcell stepped down in June, and has since been succeeded by Marty Redden.) One of Allen’s first major projects as the state’s CISO was to establish Alabama’s first secure operations center, which opened October 2018.

Allen said the SOC quickly got to work “monitoring the state network and agencies, bringing on some schools and offering some services which a lot of [rural communities] couldn’t afford.” He added that outreach to rural Alabama was a consistent part of his job, including sharing basic cybersecurity awareness practices or helping local government organizations buy security tools through a statewide IT purchasing contract.

He also recalled establishing the Alabama Office of Information Technology’s cybersecurity internship program, which has recruited annually three to four students from the state’s universities to help protect the state’s networks, and potentially attract participants to return to government service when they begin their careers.

“It keeps people in the pipeline,” he said. “We have had a couple hires thanks to the program.”

Allen also spent his tenure as Alabama’s CISO serving on the U.S. Department of Homeland Security’s State, Local, Tribal, and Territorial Government Coordinating Council, a working group comprised of state IT and emergency management officials that develops guidance on protecting critical infrastructure. Much of that work, he said, involved growing the Multi-State Information Sharing and Analysis Center, an organization that helps state and local governments defend against cyberattacks. In fact, Allen claimed that in 2019, he recruited more counties, cities and school organizations to join the organization than any of his counterparts in other states, leading him to call himself the “ambassador for the MS-ISAC.”

He was also responsible for fostering relationships between OIT, the Alabama National Guard and the office of Secretary of State John Merrill to protect the state’s election systems last November.

“Those were some of our best partners,” Allen said.

In moving to the UAB Health System, though, Allen is, along with a more favorable commute, returning to the sector where he’s spent most of his career. UAB’s flagship facility is one of the largest public hospitals in the country, and the system comprises nine hospitals and dozens of affiliated clinics, which collectively employ more than 18,000 people.

The U.S. health care industry has also emerged as a target-rich environment for ransomware threats, with 759 providers hit in 2019 alone, according to research from Emsisoft, including a hospital chain in Alabama that briefly turned away patients before paying hackers an undisclosed sum.

Allen said addressing cyberthreats against health organizations will require a more delicate approach than it does in government. Bureaucratic operations, he said, can weather interruptions that medicine cannot.

“Their mission [in health care] is to see patients as efficiently and safely as possible,” he said. “One of the first things I’m going to do is go down to the clinic and hospital floors and see how I can make improvements that don’t interrupt their workflow. If you interrupt somebody processing tax payments, that’s not great, but if you interrupt someone taking care of sick patients, that’s a whole different story.”