In September 2024, Janet Rathod joined Johns Hopkins as the new vice president and chief information security officer.

Rathod has extensive experience in the information technology security field, having served 16 years in the FBI. She was a member of the FBI’s Senior Executive Service, where she had governance responsibility over intelligence programs for 56 Field Offices and four operational divisions. After her federal service, Rathod moved to the consumer financial services industry, most recently at Citibank, where she led cyber intelligence across multiple global teams.

She replaces Darren Lacey after his 21 years in the role. Lacey now serves as chief engineer for cybersecurity at the Johns Hopkins Applied Physics Laboratory.

After Rathod’s first month on the job, she sat with Dome to talk about her new responsibilities.

DOME: First, welcome to Johns Hopkins! Just walking in the door, what do you see? How do things look?

JANET RATHOD: Everybody has been very welcoming. I would say the number-one thing that has stood out to me about the IT teams at Johns Hopkins — the cybersecurity team and the larger IT structure — is the number of people who've been in the organization for 10, 20, 30, even 40 years.

The culture is very positive and collaborative, and people speak highly of one another. The teams are very mission-oriented and have tremendous technical depth and institutional knowledge. That’s really stood out to me.

Looking at the IT component, the scale and scope of what we're protecting is absolutely monumental. We’re protecting three different verticals: health care, research, and the university.

DOME: Those sound like very different areas.

RATHOD: From a cybersecurity perspective, they are, but our core mission to protect sensitive data and infrastructure remains consistent. On the university and research sides, we are very focused on ensuring the safe and free-flowing exchange of information, as well as ensuring the safety of student and research data. And then on the health side, there are unique patient safety and data considerations. 

DOME: You’ve called coming to Johns Hopkins a once-in-a-lifetime opportunity. What makes you say that?

RATHOD: There is no place like it. When I think about the unique work that happens here and the incredible history, there is no doubt that across the board, Johns Hopkins is changing the world. To be a part of protecting the important work that's done here is genuinely a once-in-a-lifetime opportunity.

DOME: How does health care IT security differ from the consumer finance field?

RATHOD: Both sectors share a commitment to data protection, but there are key differences in the nature of the data, operating environments and priorities. The big standout to me is the diversity of networked devices we have here. Protecting medical devices is a completely different ecosystem, even just thinking about the inventory of the different devices. So much of the equipment in our hospitals — the X-ray machines, infusion pumps, on and on — is connected to the network.

The second thing I see is that there are a lot of legacy systems within health care, and it is difficult to take those systems offline for repairs or updates. Also, there may be a medical device that may only be replaced every 10 to 20 years, which is a long time in the IT world. Thus, when we're introducing new technology or new security functions, there are special considerations as we do not want to disrupt day-to-day operations.

DOME: Eight years ago, we talked with Darren Lacey about IT security. He explained the threat to our data as people jiggling every “virtual door handle” at Johns Hopkins, day and night, in hopes of finding something unsecure. Has that evolved or changed at all?

RATHOD: He was absolutely right. And that’s still the case. Cyber-threats are unyielding, and the larger threat environment continues to evolve.

First, cybercriminals are an acute threat that’s right in front of us. That is the ransomware headlines you read about on a daily basis.

Then you’ve got nation-state actors, many of which are primarily interested in espionage.

You’ve also got “hacktivism,” which tends to have a geopolitical lens to it. A lot of times, that amounts to low-level activity, such as what we call a “distributed denial of service” attack.

Lastly is the threat from insiders, which could even include mistakes made by users.

These threats have evolved over the years. On the cybercriminal side, we’re seeing a focus on data extortion. It used to be that ransomware actors would lock up systems and demand a ransom. Now, sometimes, they're not even bothering to deliver malware, but just breaking in, stealing data and extorting you.

DOME: Is there one thing that all of us at Johns Hopkins can do to make your job and your team’s job easier?

RATHOD: Definitely. Thank you for the question. Security is a team sport, and each of us play an important role. 

Believe it or not, social engineering, phishing — something we were talking about a decade ago — is still around. When you receive an email from an untrusted source, you want to think twice before clicking it. Even a phone call or a text message that feels suspicious … follow your gut. If it seems suspicious or unnecessarily urgent, it’s best not to click on that link or not to provide sensitive information to an unverified caller. These steps will make a meaningful difference in protecting our organization.