Biggest cybersecurity need? Not tech, but culture change and boardroom support
ORLANDO ― Sunday’s Cybersecurity Forum at HIMSS17 focused on the need for organizational change, better understanding of technology and recognizing the human role in security.
Cybersecurity takes a culture of organization, according to Heather Roszkowski, network CISO, the University of Vermont Health Network.
“A lot of healthcare organizations are interested in doing things the way they’ve always been done, but security is always changing,” Roszkowski said. “How do we change the culture to support that?”
For Timothy Torres, senior deputy CISO of Sutter Health, it all starts at the top, in the boardroom, and moves down. A “culture of awareness” that begins in the boardroom and trickles down into every other department will allow an organization to begin pushing through those barriers.
“Without support from the top, you’ll continually be going against the grain,” Torres said.
The problem is that many organizations are working from the bottom up, and fixing problems that are already in the system, he said. Once a security mentality is ingrained from the top, the right choices will be made throughout the organization.
But the real issue?
They “don’t want security to get in the way of doing business,” John Houston, Vice President of Privacy and Information Security at UPMC said.
To combat this, security teams need to understand board members are concerned with how security will interrupt functions, Torres explained. You have to figure out what’s important to them and put security in terms they understand.
“Once you do have their support, it’s amazing the potential for security,” said Torres.
Houston agreed that security leaders need to see what the board is made of, and a lot of “financial board members understand the mentality of security. Often they understand better because they’ve had breach experiences within their organization.”
While sometimes it’s just a small breach, Houston said, “that’s all it takes to raise a tiny bit of awareness.”
“Breaches are great example to use with board members, on issues that have happened to you,” Roszkowski said. “There’s only so far you can get, using examples from what happens to everyone else.”
Not only do organizations need to start at the board, but operations also need to understand its role when it comes to security, Torres explained.
“The human aspect is most important when it comes to what led to an incident,” said Torres. Breaches should be put into terms organizations can understand, by explaining the effect a security incident has on patient safety, care quality, business contacts and clinical operations.
In doing so, “you have much more credibility to solve this properly,” said Torres.
This article is part of our ongoing coverage of HIMSS17. Visit Destination HIMSS17 for previews, reporting live from the show floor and after the conference.