Meet Your Infosec Team: Joe Susai, Chief Information Security Officer, Washington University School of Medicine

This month, we met with Joe Susai, WUSM CISO, to learn more about what he does at WashU and his background. Please read on for our questions and his answers.

What is your role at WashU?  

I am responsible for all aspects of information security practice and programming for Washington University School of Medicine’s clinical, pre-clinical, and academic areas. This involves collaboration and cooperation across our entire institution, including strong relationships with Danforth schools, Medical School departments, partners such as BJC, and more. 

What is your favorite part of this job?  

I enjoy engaging with our leaders and stakeholders to promote effective cybersecurity practices while fostering awareness and building trust throughout our community. I appreciate that our collective actions can create long-lasting positive impacts for our organization and beyond. This work is exciting, exhilarating, and exhausting for some because it demands continuous learning and adaptation to stay ahead of the constantly evolving threat landscape. At WUSM, we are up to that challenge. 

How did you arrive in infosec?

After majoring in computer science, I went to work in programming but soon realized that I preferred to work in the infrastructure space, designing and building complex networks and data centers. I started in the hospitality sector; then I moved to the financial sector, and then into healthcare, where I spent most of my career (more than 22 years). I was heavily engaged in security aspects of my work, and I developed a strong interest and curiosity for security. I decided to focus more on that area via education, practice, and networking. Along the way, I earned advanced certifications in security program management, risk, privacy, and IT process improvement.

What is something that people do not understand about your position, role, or infosec in general?  

First, infosec is a team sport, and a strong information security program requires a community effort involving everyone—internal and external, working together and doing the right thing to create effective security. 

Secondthe InfoSec program is only as strong as its weakest link. 

Third, the role of InfoSec is to empower business and minimize disruption. Our goal is to define guardrails, not to create roadblocks. We want our user community and business to stay on course by reducing organizational risk and adhering to regulatory requirements.

Fourth, that the odds are stacked against us. A bad actor (cybercriminal) only needs to be lucky once to compromise our system. We need to be ready day in, day out. 

What is something you enjoy doing in your free time?  

I enjoy reading (mainly non-fiction), hiking, long walks, and biking. I cherish time spent with my daughters, playing soccer, field hockey, or cards, and our various volunteer activities at church. I also like to work with local schools and organizations to promote awareness of and careers in cybersecurity. 

What is something that you can’t live without? 

I can’t live without hope—the reason you keep going no matter how many times you fail. Hope that our kids and future generations will live on a better planet and in a better community, guided by faith and love for one another.  

How do you see infosec changing in the next five years?  

The threat landscape is going to get worse before it gets better. Societally, we have a shortage of cybersecurity skills, but threat actors are increasingly sophisticated and well-funded. Some are backed by nation-states. The cybersecurity market will favor AI (artificial intelligence) and ML (Machine Learning) to effectively counter threats and better defend organizations. Intelligent orchestration will accelerate incident response through automation, process standardization, and continuous integration with existing tools and shared threat services. Collaboration with government agencies and private sectors will continue to gain momentum, sharing timely and effective threat intelligence enabled by advanced data correlation and automatic threat mitigation services.