Zach Lewis serves as both CIO and CISO at the University of Health Sciences and Pharmacy in St. Louis, bringing nearly a decade of experience across engineering, systems administration, help desk leadership, and executive IT leadership. He oversees technology operations and cybersecurity for one of the oldest pharmacy institutions in the United States, balancing academic continuity, research integrity, and institutional resilience. Zach is also the author of the upcoming book Locked Up: Cybersecurity Threat Mitigation, Lessons from a Real World LockBit Ransomware Response, which documents a firsthand ransomware incident and the leadership decisions required to navigate it. His perspective blends technical depth with lived experience under real pressure.

Here’s a glimpse of what you’ll learn: 

• What actually happens inside an organization during a LockBit ransomware attack
• Why incident response planning looks very different in practice than on paper
• How leadership stress, decision making, and communication shape outcomes
• Why recovery and resilience matter more than the illusion of prevention
• How tabletop exercises help but still fail to predict real world chaos
• What CISOs should expect emotionally, operationally, and politically during an incident
• Why transparency and shared learning are still rare but critically needed
• How post incident investments and tooling decisions should be evaluated

In this episode…

Sponsor for this episode...

This episode is brought to you by CyberLynx.com  

CyberL-Y-N-X.com.

CyberLynx is a complete technology solution provider to ensure your business has the most reliable and professional IT service.

The bottom line is we help protect you from cyber attacks, malware attacks, and the dreaded Dark Web.

Our professional support includes managed IT services, IT help desk services, cybersecurity services, data backup and recovery, and VoIP services. Our reputable and experienced team, quick response time, and hassle-free process ensures that clients are 100% satisfied. 

To learn more, visit cyberlynx.com, email us at help@cyberlynx.com, or give us a call at 202-996-6600.

Transcript:

Cyber Business Podcast – Zach Lewis, CIO & CISO at University of Health Sciences and Pharmacy in St. Louis

Author of Locked Up: Cybersecurity Threat Mitigation — Lessons from a Real-World LockBit Ransomware Response

Matthew: Matthew Connor here, host of the Cyber Business Podcast. Today we're joined by Zach Lewis, CIO and CISO at the University of Health Sciences and Pharmacy in St. Louis, and author of the upcoming book Locked Up: Cybersecurity Threat Mitigation — Lessons from a Real-World LockBit Ransomware Response. Zach, welcome to the show.

Zach: Thanks, Matt. Happy to be here.

Matthew: Great having you. Before we get too far in, a quick word from our sponsors.

[SPONSOR READ: This episode is brought to you by CyberLynx.com. Do you know if a hacker is in your system? Most people and most companies don't — until it's too late and the hacker has already done damage. A hacker's job is to bypass your security, so companies need a way of knowing when someone has gotten past their defenses. That's where CyberLynx comes in. We've partnered with the best cybersecurity companies in the world to provide our clients with the best solutions at the best prices — whether it's managed SIEM, SOC, EDR, MDR, or XDR. We'll help you find the right solution at the right price. Find out more at CyberLynx.com.]

And now back to our show. Zach, for those who aren't familiar, can you tell us about UHSP and your dual roles there?

Zach: Yeah, definitely. The University of Health Sciences and Pharmacy is one of the oldest pharmacy schools in the country — about 162 years old. I've been here almost 10 years total, serving as CIO and CISO for about five of those. I've held a range of roles over that time, from engineer to network and systems administration to Director of the Help Desk, then IT leadership, and eventually adding the security side. It's been a good run.

Matthew: Fantastic. I'd love to talk about your upcoming book. January 6th, right?

Zach: January 6th, that's right.

Matthew: Tell us about Locked Up.

Zach: So Locked Up tells the story of a ransomware incident we actually experienced here at the university. We ran into a LockBit ransomware attack a few years back. I try to tell the whole story — I give some background on the LockBit threat group, which was one of the most prolific ransomware groups of 2022 and 2023. They were taken down by the FBI in 2024, and we're actually starting to see a bit of a resurgence — reports of them regrouping and forming something of a cartel on the dark web. But they came into our environment, encrypted a significant amount of our data, and attempted to exfiltrate information. I walk through everything: where we were before the incident, what happened during it, the decisions we made, why we made them, who it affected — and then at the end I wrap up with what we did to remediate, how we bolstered the security program, and some best practice guidance.

The reason this book matters is that a lot of ransomware attacks and data breaches get swept under the rug. There are legal reasons for that, there are liability reasons, there are PR reasons. The big breaches get covered in the news, but you rarely get a walk-through of what actually happens during an incident. And as ransomware attacks continue to increase year over year, having a guiding framework — even if every incident is a little different — is really important for practitioners.

Matthew: I couldn't agree more. We've had this conversation on the podcast several times — CISOs largely agree that the community needs to communicate more openly about incidents, but publicly it stays very hush hush. How did you get this past legal?

Zach: After the attack happened, I mentioned to a few members of the leadership team that I was going to start presenting on it at conferences. Nobody had a problem with that. And at those conferences, after I'd finish presenting, people would come up with tons of questions. I realized I had something worth developing further. So I decided to write a book, let the team know that's what I was doing, and everyone was supportive. When I finally signed the contract with Wiley, I brought it to our general counsel, we went through it, got some notes, went back and forth — and we moved forward. We had already made a public disclosure about the incident, I was already speaking about it openly, and general counsel had reviewed everything. I felt good about that check mark.

Matthew: Great. So walk us through the story — how did it happen? How did you find out? Give us the dramatic bits.

Zach: It started with a phone call one morning — part of our on-premises environment was down and unavailable. We had known we had a lot of end-of-life hardware. We had refresh dates coming up and new equipment on order, but this was right off of COVID supply chain issues and we'd been waiting a long time for things to arrive. So I went into the office and we started trying to restore the server environment, working with our network director, doing recovery mode booting. Over the span of a couple of days we actually managed to get the environment back up. We were running VMware, which becomes important. Everything was up for about 10 to 12 hours — and then it came crashing back down and we couldn't get anything restored.

At that point we're looking at the root files on the hypervisor — the system that runs all of our virtual servers — and we find a note. A README file. We open it, and it's the ransomware demand. They had come into our environment and were attempting to exfiltrate data, and at some point either tripped something or did something that knocked the system offline. When they saw us trying to restore things, I believe they realized we were on to them and triggered the ransomware intentionally. When it went off, it encrypted all the root files on the hypervisor. So at that point you have nothing watching — no EDR running there, no protection of any kind at the hypervisor level. It's not just a server getting encrypted — it's the boot files and everything else. We had no backup of that environment per se.

So we stopped disaster recovery, moved into incident response, activated resources, and started making calls. Threat negotiators came in, forensics teams came in, insurance was contacted, the FBI, the board — we were just trying to figure out how they got in and start recovering on whatever hardware we had available. In the book I talk about one moment where we needed to stand up Active Directory for authentication and actually grabbed a gaming PC from our esports department. We figured that would be the most powerful Active Directory server ever run. But we ran into all kinds of hurdles, which I cover in detail. All told, we didn't have to close shop — we stayed operational — but full recovery and remediation to the endpoint took almost two months.

Matthew: Wow. Did you ever find out how they got in?

Zach: We did. Compromised credentials coming in through a VPN.

Matthew: Classic. And that battle hardening — you don't really know how you'll react until you're in it.

Zach: Exactly. We'd actually run a tabletop exercise the previous November — the attack happened in April. The tabletop went well. We talked through who makes public notifications, who approves what, everyone felt good about the plan. And then it actually happens and curveballs start flying. The plan helps, but it doesn't prepare you for everything. As the CISO, your job in that moment is to be calm and collected. You're the one with the plan. Your team members may never have been through this — they're going to be stressed, maybe panicking — and they need to see a leader who is steady, who can pivot, who can make decisions. Internally I may have been stressed, but you can't project that. And expect late nights — all-nighters, long phone calls, cancelled trips. I called my wife the first night and said, "We've had a ransomware attack. I'm going to be late for a while. And I might be out of a job when this is over. Buckle up."

Matthew: And that's the fear, right? As the leader, the responsibility lands on you. And a lot of people in that position would assume it's the end. How did that play out for you?

Zach: The CISO being the scapegoat used to be a lot more common, and that trend is starting to shift — which is a good thing. You don't want to get rid of the person who knows your environment. Keep him around at least until things are recovered. And as these attacks have become more frequent, businesses are starting to understand that the CISO's job isn't to prevent every incident from ever happening. It's to recover and pivot when an incident does happen. That's an important distinction that a lot of people still don't fully understand.

Part of why I was positioned well going into this was the work we'd done beforehand communicating with our board. We'd been bringing in guest speakers, sharing industry stats, painting a picture of the threat landscape so they understood what to expect. We also had a CIO of a major national pharmacy chain sitting on our board. When I went in to tell them about the incident, he was there saying, "Guys, this is part of business. I've seen this. Our CISO has it under control. We're going to be OK." Having that voice in the room was invaluable.

I think even if it had been a worse event, I'd still be here. We managed to mitigate a lot of the negative side effects and recover relatively quickly. But the tabletop definitely helped — we'd already gotten everyone bought in to the idea that this is a shared responsibility and these things can happen to anyone. LockBit breached Boeing. They breached TSMC, the largest semiconductor manufacturer on the planet. They hit UK royal government entities. We were small fish. If they're getting hit, our board understood what we were up against.

Matthew: And that's the message — you can be doing everything right and still get hit. When I was in military intelligence, even 25 years ago on the classified SIPRNET we were seeing over 10,000 attempts to breach it per day. You have to assume they're getting in. The question is what you do about it. So talk us through the communication side — you stayed operational, which was a huge win. What did that look like?

Zach: The first meeting was essentially: we've had a cyber attack, this is what's going on, we're still gathering information. Day two we had outside counsel in who specializes in cyber incidents, threat negotiators, and forensics teams — all requesting different things, pulling logs, trying to scope the attack. The first question from leadership was always: do we have to close? Can students still attend classes? Can research continue? Fortunately, I had pivoted us to a heavily SaaS-first environment in the years leading up to this, so a lot of our operations were segmented by nature. Students and faculty had no idea anything had happened — they could log in, attend class, submit assignments, take quizzes. Once we could reassure leadership that the core business was still functioning, the conversation shifted to: what did they get? What's down? What was potentially stolen?

They were asking for $1.5 million for a few hundred gigabytes of data. So then you're trying to figure out what's actually in that data — is it student PII? Faculty information? Financial data? Research IP? That's really hard to answer in the first couple of days. We were meeting daily for the first couple of weeks, giving regular board updates, and just sharing everything we knew as we learned it. It's a lot of moving pieces all at once.

Matthew: So in retrospect, what's your advice to people who haven't been through this? How do you prepare?

Zach: First — have an incident response plan. Know your environment: where are your most critical systems, where does your most important data live, who has access to it. Your incident response plan needs to incorporate your disaster recovery plan — what has to be up for you to operate. Have your contact numbers ready: cyber insurance, how to reach them, the specific order and time frame in which you're required to contact them. I'm a strong proponent of filing an IC3 form and contacting both the FBI and CISA. They're not going to put hands on keyboards to restore your environment, but they offer real resources — CISA has free DNS monitoring, vulnerability scanning, pen testing and more, especially if you're in a critical infrastructure sector. The FBI can collect information that may help them build a case and potentially recover ransom funds if they have account numbers, Bitcoin wallets, and related data upfront.

Build those relationships before you need them. Know your local FBI field office. Meet with them. Bring them in to talk to your board. Join InfraGard — it's a great FBI-partnered organization. When an attack happens, you don't want it to be the first time you've spoken to these people. I have several agents' numbers in my phone. I was able to text them the night of.

Test your backups regularly. Make sure you can actually restore from them. They're still the best recovery option we have for ransomware. And keep a hard copy of your incident response plan somewhere safe — if your environment is encrypted, your digital copy is inaccessible. Having that physical document to work from when you're under extreme stress, so you can just follow the checklist step by step, is invaluable. Include everything in it: license keys, vendor phone numbers, instructions for standing up specific systems. You don't want to be hunting for a backup software activation key in your inbox at 2 AM.

One lesson we learned the hard way: if you use a local password manager and it's on an encrypted machine, those passwords are gone with it. Migrate to a cloud-based password manager, or keep a printed or offline backup of your most critical credentials in a safe somewhere. That one didn't come up in our tabletop, and it added a lot of stress at the worst possible moment.

Matthew: What about out-of-band communication? That seems like something a lot of people miss.

Zach: Big one. When you're attacked, you have to assume the threat actors are still in your environment and may be watching your emails and chat systems. We stood up Gmail accounts quickly so we could communicate with the incident response team, leadership, and outside counsel through channels that weren't being monitored. You can do that proactively and keep those credentials somewhere offline. We did it reactively, but it worked. That was a gap in our original incident response plan that we've since closed.

Matthew: And what about the human impact on your end users — the faculty and staff who found out what happened?

Zach: We waited a bit before making the broad internal announcement. We wanted to be able to answer questions before people started asking them. When we did announce it, there was definitely anxiety. People were worried their personal files — photos, personal documents they'd stored on work shares — might be in the hands of bad actors. I had people asking whether threat actors would come to their homes because their home address or asset inventory was in the compromised data. They don't understand how these groups operate — they're not burglars, they're financially motivated criminals operating overseas. So a lot of what I did was sit down individually with people who had concerns and walk them through how these groups work, what they're after, what they're looking for.

And let me be clear — it is not the time to lecture people about storing personal files on work systems. That conversation can happen later in a mass communication. In the moment, just be a sounding board, answer their questions, and help them feel heard.

And be prepared for the long tail. After an announcement like this, any problem anyone experiences — in IT or in their personal lives — becomes attributed to the breach. Investment account oddity? It's the breach. A roof leak? The breach. And then we had the misfortune of the MOVEit breach hitting right in our recovery window, with several third-party vendors we worked with getting hit through that. So we're sending notifications about additional account compromises that have nothing to do with our incident, and at a moment when trust was already fragile. That was a really tough stretch.

Matthew: So coming out the other side — were there any cool new tools or products that the incident opened the door for?

Zach: Never let a good crisis go to waste, right? The board asked what we needed to prevent this from happening again, and we were honest that nothing bulletproofs you — cybersecurity is a process, not a state — but we were able to make the case for some investments. We implemented Island, an enterprise browser, which makes a lot of sense for us as a SaaS-first organization. When everything lives in the cloud and you want people to be able to access it from everywhere, securing at the browser layer is a logical move.

We also rolled out Concentric AI, which is a data security posture management platform. That kicked off a major data governance journey we're still on — classifying and labeling everything so we never again find ourselves in a situation where we can't tell leadership what's in the data that was potentially exfiltrated. And we're doing a design partnership with a company in stealth right now working on AI-powered DLP, which is exciting.

On the contract side, I've also shifted my philosophy. On the IT side of the house, multi-year contracts for cost savings made sense. On the security side, I'm moving toward annual arrangements where possible. The threat landscape changes too fast to be locked into a five-year commitment. I may need to reallocate that budget to close a different hole six months from now.

And the one-in, one-out principle. Any time we bring a new tool in, we try to sunset something else. My team isn't huge. Too much tool sprawl means nothing gets used properly. You want the right set of tools, configured correctly, with people who are actually good at using them — not a hundred tools none of which are tuned right.

Matthew: That is really smart. It's a discipline that a lot of organizations struggle with. Zach, this has been an absolute blast. Before we go — where can people find out more about you and get a copy of Locked Up?

Zach: Find me on LinkedIn — Zachary Lewis — I post there regularly. I also have a website, homesteadingciso.com, which is a topic for another conversation, but there you'll find posts, media appearances, and links to the book. The book is available for pre-order on Amazon, Books-A-Million, Barnes & Noble, Target, and pretty much wherever books are sold. Locked Up: Cybersecurity Threat Mitigation — Lessons from a Real-World LockBit Ransomware Response. Yes, I picked the longest title possible. January 6th — grab it. And if you have questions, reach out. Happy to answer anything.

Matthew: Fantastic. Best of luck with the launch. And let's get you back on after it's out for a follow-up episode. Until then — thanks, Zach.

Zach: Thank you, Matt.